├── Pictures
├── inode.JPG
├── netfilter.png
└── dns_resolution.gif
├── LICENSE
├── README.md
├── UserandGroupManagement.md
├── Networking.md
├── StorageManagement.md
├── ServiceConfiguration.md
├── OperationofRunningSystems.md
└── EssentialCommands.md
/Pictures/inode.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/simonesavi/lfcs/HEAD/Pictures/inode.JPG
--------------------------------------------------------------------------------
/Pictures/netfilter.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/simonesavi/lfcs/HEAD/Pictures/netfilter.png
--------------------------------------------------------------------------------
/Pictures/dns_resolution.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/simonesavi/lfcs/HEAD/Pictures/dns_resolution.gif
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) Microsoft Corporation. All rights reserved.
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Linux Foundation Certified System Administrator (LFCS)
2 |
3 | These are my notes that I have wrote during my preparation for [LFCS exam](https://training.linuxfoundation.org/certification/linux-foundation-certified-sysadmin-lfcs/).
4 |
5 | The notes structure is based on [***Certification Preparation Guide - August 2018***](https://training.linuxfoundation.org/resources/publications/certification-preparation-guide/).
6 |
7 | These notes contain instructions/commands for *CentOS* distribution.
8 |
9 | These notes cannot be considered as unique source of information to prepare LFCS exam, but can be used as guideline to understand which topics you must be able to manage to pass the exam.
10 |
11 | ## Domains & Competencies
12 |
13 | [Essential Commands - 25%](EssentialCommands.md)
14 |
15 | [Operation of Running Systems - 20%](OperationofRunningSystems.md)
16 |
17 | [User and Group Management - 10%](UserandGroupManagement.md)
18 |
19 | [Networking - 12%](Networking.md)
20 |
21 | [Service Configuration - 20%](ServiceConfiguration.md)
22 |
23 | [Storage Management - 13%](StorageManagement.md)
24 |
25 | ## Other similar open source projects
26 |
27 | I have found inspiration for this guide by two other GitHub projects:
28 |
29 | * [LFCS APUNTES](https://github.com/s-nt-s/LFS201/blob/master/LFCS/APUNTES.md)
30 | * Spain language
31 | * It is based on Ubuntu
32 | * [Linux Foundation Certified System Administrator (LFCS) - Pluralsight Course Series notes](https://github.com/digitalbear/lfcs)
33 | * English language
34 | * Incomplete
35 |
36 |
--------------------------------------------------------------------------------
/UserandGroupManagement.md:
--------------------------------------------------------------------------------
1 | # User and Group Management
2 |
3 | ## Create, delete, and modify local user accounts
4 |
5 | useradd
6 |
7 | * Add users
8 |
9 | * `useradd -D` print the default configuration used by useradd command
10 |
11 | ```bash
12 | GROUP=100
13 | HOME=/home
14 | INACTIVE=-1
15 | EXPIRE=
16 | SHELL=/bin/bash
17 | SKEL=/etc/skel
18 | CREATE_MAIL_SPOOL=yes
19 | ```
20 |
21 | *GROUP=100* -> default group
22 |
23 | *HOME=/home* -> base for home directory
24 |
25 | *INACTIVE=-1* -> user password won't expire
26 |
27 | *EXPIRE=* -> user account won't expire
28 |
29 | *SHELL=/bin/bash* -> default shell
30 |
31 | *SKEL=/etc/skel* -> skeleton directory. It's content will be copied in new user home directory
32 |
33 | *CREATE_MAIL_SPOOL=yes* -> User will have a mail spool to receive email
34 |
35 | * This configuration is saved in `/etc/default/useradd`
36 |
37 | * Also `/etc/login.defs` parameter are evaluated during user add
38 |
39 | * Some parameter of `/etc/login.defs` will overwrite `/etc/default/useradd` parameters
40 |
41 | * `/etc/login.defs` contains:
42 |
43 | * Location of mail spool
44 | * Settings about password
45 | * *CREATE_HOME yes* -> create home directory
46 | * *USERGROUPS_ENAB yes* -> means that a group with same name of user must be created. This group will become default user group. This means that value of GROUP in `/etc/default/useradd` is overwritten
47 |
48 | * `useradd` parameters:
49 |
50 | * `-c` Any text string. It is generally a short description of the login, and is currently used as the field for the user's full name.
51 | * `-e` date after which the/ user will be disabled
52 | * `-g` primary group. NOTE: if not specified it will be created a new group with same name of user that will be become user's primary group
53 | * `-G` secondary groups
54 | * `-m` create home directory. Useless because CREATE_HOME is yes
55 | * `-p` configure password. **NOTE**: value must be provided encrypted
56 | * Normally password is not provided during user add
57 | * `-s` shell to use
58 |
59 | * When a user is created two file will be changed:
60 |
61 | * `/etc/passwd` It contains users information, no passwords
62 | * Syntax:
63 | * user name
64 | * x: means that password isn't stored here
65 | * userid: user id (UID)
66 | * groupid: primary group id (GID)
67 | * User Info: The comment field
68 | * home: home directory
69 | * shell: shell
70 | * To edit file: `vipw`
71 | * `/etc/shadow` It contains passwords plus passwords properties
72 | * To edit file: `vipw -s`
73 |
74 |
75 |
76 | usermod
77 |
78 | * used to modify a user
79 | * `usermod` parameters:
80 | * `-L`lock user password
81 | * `-U` unlock user password
82 | * `usermod -e 1 user` disable user
83 | * `usermod -e "" user` enable user
84 |
85 |
86 |
87 | userdel
88 |
89 | * remove user
90 | * `userdel -r user`
91 | * `-r` remove home and email spool. **NOTE**: if it won't be used, if it will be tried to insert same user, there will be a conflict
92 | * `-f` force. Delete user though he is logged
93 |
94 |
95 |
96 | passwd
97 |
98 | * Change password of current user
99 | * `passwd user`
100 | * Used by root
101 | * Change password of user
102 | * `passwd -l user`
103 | * Used by root
104 | * Lock password of user
105 | * `echo newpass | passwd --stdin brenda`
106 | * It will change password of brenda
107 | * Can be used in a script
108 | * **NOTE**: Dangerous, password is in clear text
109 |
110 |
111 |
112 | chage
113 |
114 | * Change user password expiry information
115 | * If used without parameters will prompt for information
116 | * It will permit to change date when the password was last changed
117 | * `chage -E 2014-09-11 user`
118 | * Set a date after which user will be locked
119 |
120 |
121 |
122 | ## Create, delete, and modify local groups and group memberships
123 |
124 | groupadd
125 |
126 | * add group
127 | * When a group is created `/etc/group` file will be changed
128 | * Syntax:
129 | * group_name: It is the name of group. If you run ls -l command, you will see this name printed in the group field.
130 | * Password: Generally password is not used, hence it is empty/blank. It can store encrypted password. This is useful to implement privileged groups.
131 | * Group ID (GID): group id
132 | * For each user must be assigned a group ID. You can see this number in your /etc/passwd file.
133 | * Group List: It is a list of user names of users who are members of the group. The user names, must be separated by commas.
134 | * **NOTE**: The groups without group list are used as primary group for some users
135 |
136 |
137 |
138 | groupdel
139 |
140 | * delete group
141 |
142 |
143 |
144 | groupmod
145 |
146 | * modify group
147 |
148 |
149 |
150 | * `usermod -aG group user`
151 | * Add group to user
152 | * -G list of secondary groups
153 | * `-a` append. **NOTE**: If not specified new group list will override current value
154 |
155 |
156 |
157 | ## Manage system-wide environment profiles
158 |
159 | * The variable for all users are stored in `/etc/environment`
160 |
161 | * The variable for a user are stored in his home directory in file `.bash_profile`
162 | * **NOTE**: It is an hidden file, it is visible only running `ls -la`
163 |
164 | ## Manage template user environment
165 |
166 | * `/etc/skel` skeleton directory. It's content will be copied in new user home directory
167 |
168 | ## Configure user resource limits
169 |
170 | ulimit
171 |
172 | * It limits the use of system-wide resources
173 |
174 | * Limits can be configured changing file `/etc/security/limits.conf`
175 |
176 | * Typical configuration
177 |
178 | ```bash
179 | 1. @student hard nproc 20
180 | 2. @faculty soft nproc 20
181 | 3. ftp hard nproc 0
182 | 4. @student - maxlogins 4
183 |
184 | ```
185 |
186 | 1. Members of student group can run only 20 processes
187 | 2. Members of faculty group will receive and info after that more than 20 processes were run (soft limit)
188 | 3. ftp user cannot run any process
189 | 4. Members of student can have maximum 4 logged user. - means both hard and soft
190 |
191 | * `man limits.conf` for manual
192 |
193 | * Limits will be enforced in next opened session
194 | * Also `ulimit` command can be used to change limits
195 |
196 | ## Manage user privileges
197 |
198 | Refer to `sudo` configuration
199 |
200 | ## Configure PAM
201 |
202 | * PAM = plugable authentication modules
203 | * A command/program can be PAM aware
204 | * PAM can be used to configure e.g. login to use Active Directory or LDAP
205 | * Use ldd to see if command use PAM libraries
206 | * `ldd /usr/bin/passwd | grep pam`
207 |
208 | * Each command that will use PAM will have an entry in `/etc/pam.d` with its PAM configuration
209 | * A good example of PAM configuration is showed in pam_tally2 module man page
210 | * pam_tally2: The login counter (tallying) module
211 | * At the end of man page there is an example to configure login to lock the account after 4 failed logins
212 | * `man pam_tally2`
213 |
--------------------------------------------------------------------------------
/Networking.md:
--------------------------------------------------------------------------------
1 | # Networking
2 |
3 | ## Configure networking and hostname resolution statically or dynamically
4 |
5 | * `ip addr show`
6 |
7 | Show IP addresses configuration
8 |
9 | * `ip a s`
10 |
11 | Short syntax
12 |
13 | * `nmtui`
14 |
15 | *Network Manager Text User Interface* - Graphical interface to manage network connections configuration
16 |
17 | * Manual means that IP will be configured manually
18 | * Automatic means that will be used DHCP protocol
19 | * **NOTE**: IP must be inserted with syntax IP/NETMASK (e.t. 192.168.0.2/24)
20 |
21 |
22 | * All network configuration will be stored in `/etc/sysconfig/network-scripts`
23 |
24 | * If there is need to change IP configuration of an interface without using `nmtui` remember to shutdown interface, change IP, restart interface
25 | * `ip link set eth0 down` Shutdown interface eth0
26 | * `ip addr add 192.168.0.2/24 dev eth0` Assign IP 192.168.0.2/24 to interface eth0
27 | * `ip link set eth0 up` Restart interface eth0
28 |
29 |
30 |
31 | * The hostname can be changed editing `/etc/hostname`
32 |
33 | * `hostname` show current hostname
34 | * Alternative: `hostnamectl set-hostname your-new-hostname` set hostname equal to your-new-hostname
35 | * Reboot is required to see new hostname applied
36 |
37 | * In `/etc/hosts` is configured a name resolution that take precedence of DNS
38 |
39 | * It contains static DNS entry
40 |
41 | * It is possible add hostname to row for 127.0.0.1 resolution, or insert a static IP configured on principal interface equal to hostname
42 |
43 | * In `/etc/resolv.conf` there are configured DNS servers entry
44 |
45 | * It is possible to insert more than one *nameserver* as backup (primary and secondary)
46 |
47 | ## Configure network services to start automatically at boot
48 |
49 | Network Manager
50 |
51 | * Its purpose is to automatically detect, configure, and connect to a network whether wired or wireless such as VPN, DNS, static routes, addresses, etc which is why you'll see #Configured by NetworkManager in /etc/resolv.conf, for example. Although it will prefer wired connections, it will pick the best known wireless connection and whichever it deems to be the most reliable. It will also switch over to wired automatically if it's there.
52 | It's not necessary and many (including me) disable it as most would rather manage their own network settings and don't need it done for them.
53 | * `systemctl stop NetworkManager.service`
54 | * `systemctl disable NetworkManager.service`
55 |
56 |
57 |
58 | Network
59 |
60 | * `systemctl status network` to check network configuration status
61 | * `systemctl restart network` to reload network configuration
62 |
63 |
64 |
65 | References:
66 |
67 | * [https://unix.stackexchange.com/questions/449186/what-is-the-usage-of-networkmanager-in-centos-rhel7](https://unix.stackexchange.com/questions/449186/what-is-the-usage-of-networkmanager-in-centos-rhel7)
68 |
69 | ## Implement packet filtering
70 |
71 | * The firewall is managed by Kernel
72 |
73 | * The kernel firewall functionality is Netfilter
74 | * Netfilter will process information that will enter and will exit from system
75 | * For this it has two tables of rules called chains:
76 | * *INPUT* that contains rules applied to packets that enter in the system
77 | * *OUTPUT* that contains rules applied to packets that leave the system
78 | * Another chain can be used if system is configured as router: *FORWARD*
79 | * Finally there are other two chains: PREROUTING, POSTROUTING
80 |
81 | 
82 |
83 | * Picture show the order with which the various chains are valued. The arrows indicate the route of the packages:
84 |
85 | * Incoming packets are generated from the outside
86 | * Outgoing packets are either generated by an application or are packets in transit
87 |
88 | * The rules inside chains are evaluated in an orderly way.
89 |
90 | * When a rule match the other rules are skipped
91 | * If no rules match, default policy will be applied
92 | * Default policy:
93 | * ACCEPT: the packet will be accepted and it will continue its path through the chains
94 | * DROP: the packet will be rejected
95 |
96 | * The utility to manage firewall is `iptables`
97 |
98 | * `iptables` will create rules for chains that will be processed in an orderly way
99 |
100 | * `firewalld` is a service that use iptables to manage firewalls rules
101 |
102 | * `firewall-cmd` is the command to manage firewalld
103 |
104 |
105 |
106 | Firewalld
107 |
108 | * firewalld is enabled by default in CentOS
109 | * It works with zone, *public* is default zone
110 | * The *zone* is applied to an interface
111 | * The idea is that we can have safe zone, e.g. bound to an internal interface, and unsafe zone, e.g. bound to external interfaces internet facing
112 | * `firewall-cmd --list-all` show current configuration
113 | * services -> service that are allowed to use interface
114 | * ports -> ports that are allowed to use interface
115 | * `firewall-cmd --get-services` shows the list of default services
116 | * The services are configured in `/urs/lib/firewalld/services`
117 | * `/urs/lib/firewalld/services` contains xml file with service configuration
118 |
119 | * `firewall-cmd --add-service service` add service to current configuration
120 | * **NOTE**: it isn't a permanent configuration
121 | * `firewall-cmd --reload` reload firewalld configuration
122 | * **NOTE**: If a service was added with previous command now it is disappeared
123 | * `firewall-cmd --add-service service --permanent` add service to configuration as permanent
124 | * **NOTE**: Now if firewalld configuration is reloaded service it is still present
125 | * `firewall-cmd --add-port 4000-4005/tcp` Open TCP ports from 4000 to 4005
126 | * `firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT`
127 | * Add a firewall rule using iptables syntax
128 | * This add permanently a rule as first in OUTPUT chain to allow connections to TCP destination port 80
129 |
130 |
131 |
132 | iptables
133 |
134 | * The `firewalld` daemon can be substitute with `iptables` daemon (the configuration that was in place until recently)
135 | * `systemctl stop firewalld`
136 | * `iptables -L`
137 | * More verbose output `iptables -L -v`
138 | * Show configuration of iptables chains
139 | * Note that policies is set equal to ACCEPT for every chain. This means that no package will be rejected. This is equal to have a shut downed firewall
140 | * `systemctl disable firewalld`
141 | * `yum -y install iptables-services`
142 | * `systemctl enable iptables`
143 |
144 |
145 |
146 | * With this configuration rules must be inserted
147 | * `iptables -P INPUT DROP`
148 | * Set default policy to DROP for INPUT chain
149 | * iptables rules syntax:
150 | * `iptables {-A|I} chain [-i/o interface][-s/d ipaddres] [-p tcp|upd|icmp [--dport|--sport nn…]] -j [LOG|ACCEPT|DROP|REJECT]`
151 | * `{-A|I} chain`
152 | * `-A` append as last rule
153 | * `-I` insert. This require a number after chain that indicate rule position
154 | * `[-i/o interface]`
155 | * E.g. `-i eth0` - the package is received (input) on the interface eth0
156 | * `[-s/d ipaddres]`
157 | * `-s` Source address. ipaddres can be an address or a subnet
158 | * `-d` Destination address. ipaddres can be an address or a subnet
159 | * [-p tcp|upd|icmp [--dport|--sport nn…]]
160 | * `-p` protocol
161 | * `--dport` Destination port
162 | * `--sport` Source port
163 | * `-j [LOG|ACCEPT|DROP|REJECTED]`
164 | * `ACCEPT` accept packet
165 | * `DROP` silently rejected
166 | * `REJECT` reject the packet with an ICMP error packet
167 | * `LOG` log packet. Evaluation of rules isn't blocked.
168 |
169 | * E.g.
170 | * `iptables -A INPUT -i lo -j ACCEPT`
171 | * Accept all inbound loopback traffic
172 | * `iptables -A OUTPUT -o lo -j ACCEPT`
173 | * Accept all outbound loopback traffic
174 | * `iptables -A INPUT -p tcp --dport 22 -j ACCEPT`
175 | * Accept all inbound traffic for tcp port 22
176 | * `iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT`
177 | * This is a rule that is used to ACCEPT all traffic generated as a response of an inbound connection that was accepted. E.g. if incoming traffic for web server on port 80 was accepted, this rule permits to response traffic to exit from system without inserting specific rules in OUTPUT chain
178 |
179 |
180 |
181 | * **NOTE** file `/etc/services` contains a list of well know ports with services name
182 |
183 |
184 |
185 | References:
186 |
187 | * [https://debian-handbook.info/browse/da-DK/stable/sect.firewall-packet-filtering.html](https://debian-handbook.info/browse/da-DK/stable/sect.firewall-packet-filtering.html)
188 |
189 |
190 |
191 | ## Start, stop, and check the status of network services
192 |
193 | * Network services are controlled as other daemon with `systemctl` command
194 | * `systemctl status servicename`
195 |
196 |
197 |
198 | * With `netstat` is it possible list internet port opened by a process
199 | * `yum -y install net-tools`
200 | * `netstat -tln`
201 | * Show TCP port opened by processes
202 |
203 |
204 |
205 | ## Statically route IP traffic
206 |
207 | * `ip route show`
208 | * Print route
209 | * Alternative command `route -n`
210 | * `ip route add 192.0.2.1 via 10.0.0.1 [dev interface]`
211 | * Add route to 192.0.2.1 through 10.0.0.1. Optionally interface can be specified
212 | * To make route persistent, create a *route-ifname* file for the interface through which the subnet is accessed, e.g eth0:
213 | * `vi /etc/sysconfig/network-scripts/route-eth0`
214 | * Add line `192.0.2.1 via 10.0.0.101 dev eth0`
215 | * `service network restart` to reload file
216 |
217 | * `ip route add 192.0.2.0/24 via 10.0.0.1 [dev ifname]`
218 | * Add a route to subnet 192.0.2.0/24
219 |
220 |
221 |
222 | * To configure system as route forward must be enabled
223 | * `echo 1 > /proc/sys/net/ipv4/ip_forward`
224 | * To make configuration persistent
225 | * `echo net.ipv4.ip_forward = 1 > /etc/sysctl.d/ipv4.conf`
226 |
227 | References:
228 |
229 | * [https://my.esecuredata.com/index.php?/knowledgebase/article/2/add-a-static-route-on-centos](https://my.esecuredata.com/index.php?/knowledgebase/article/2/add-a-static-route-on-centos)
230 |
231 |
232 |
233 | ## Synchronize time using other network peers
234 |
235 | * In time synchronization the concept of Stratum define the accuracy of server time.
236 | * A server with Stratum 0 it is the most reliable
237 | * A server synchronized with a Stratum 0 become Stratum 1
238 | * Stratum 10 is reserved for local clock. This means that it is not utilizable
239 | * The upper limit for Stratum is 15
240 | * Stratum 16 is used to indicate that a device is unsynchronized
241 | * Remember that time synchronization between servers is a slowly process
242 |
243 |
244 |
245 | CHRONYD
246 |
247 | * Default mechanism to synchronize time in CentOS
248 | * Configuration file `/etc/chrony.conf`
249 | * `server` parameters are servers that are used as source of synchronization
250 | * `chronyc sources` contact server and show them status
251 | * `chronyc tracking` show current status of system clock
252 |
253 |
254 |
255 | * **NOTE**: if some of the commands below doesn't work please refer to this bug [https://bugzilla.redhat.com/show_bug.cgi?id=1574418](https://bugzilla.redhat.com/show_bug.cgi?id=1574418)
256 | * Simple solution: `setenforce 0`
257 | * Package `selinux-policy-3.13.1-229` should resolve problem
258 |
259 |
260 |
261 | NTP
262 |
263 | * The old method of synchronization. To enable it Chronyd must be disabled
264 | * Configuration file `/etc/ntp.conf`
265 | * `server` parameters are servers that are used as source of synchronization
266 | * `ntpq -p` check current status of synchronization
267 |
--------------------------------------------------------------------------------
/StorageManagement.md:
--------------------------------------------------------------------------------
1 | # Storage Management
2 |
3 | ## List, create, delete, and modify physical storage partitions
4 |
5 | * `lsblk` lists all available disk devices plus available partitions
6 |
7 | * `fdisk` it is used to manage disk partition in MBR modality
8 |
9 | * E.g. `fdisk /dev/sda`
10 |
11 | This will open an interactive menu that will permit to show current status of partitions or create a delete new partitions
12 |
13 | * `gdisk` it is used to manage disk partition in GPT modality
14 |
15 | - E.g. `gdisk /dev/sda`
16 |
17 | * Destroy all MBR partition on a disk
18 |
19 | * `gdisk /dev/sda` -> `x` (expert) -> `z` (zap)
20 |
21 | * Convert MBR to GPT
22 |
23 | * `gdisk /dev/sda` -> `W` -> `Y`
24 |
25 | ## Manage and configure LVM storage
26 |
27 | * Before create a Logical Volume must be created in sequence a physical volume and after a volume group
28 | * A physical volume is a partition that can be part of volume group. Inside a volume group can be created logical volume
29 | * The advance of logical volume is that their dimension can be managed easly
30 | * If more space is need a volume group can be extended as well
31 |
32 |
33 |
34 | Physical Volume
35 |
36 | * `pvcreate /dev/sdb1`
37 |
38 | To create a physical volume with partition sbd1
39 |
40 | * `pvs` lists available physical volumes
41 |
42 | * `pvdisplay /dev/sdb1` shows info of a physical volume
43 |
44 | Volume Group
45 |
46 | * `vgcreate vgname /dev/sdb1`
47 |
48 | To create a volume group called *vgname* and add the sdb1 physical volume to it
49 |
50 | * `vgs` lists available volume groups
51 |
52 | * `vgdisplay vgname` shows info of a volume group
53 |
54 | * `vgextend vgname /dev/sdc3` extends a volume group adding a new physical volume `/dev/sdc3`
55 |
56 | Logical volume
57 |
58 | * `lvcreate -n volumename -L 10G vgname`
59 |
60 | To create a logical volume called *volumename* of size 10GB on volume group *vgname*
61 |
62 | * `lvcreate -n volumename -l 100%FREE vgname`
63 |
64 | To create a logical volume called *volumename* with all available space on volume group *vgname*
65 |
66 | * `lvs` list available logical volumes
67 |
68 | * `lvdisplay` shows info of all logical volumes
69 |
70 | * `lvdisplay vgname/volumename` shows info of a logical volume *volumename* contained in *vgname* volume group
71 |
72 | * Before use a logical volume, a file system must be created on it
73 |
74 | * `blkid /dev/vgname/volumename ` shows the UUID of a formatted volume group
75 |
76 | * `lvextend -L +1G -r vgname/volumename ` extends the logical volume *volumename* of one giga
77 |
78 | * `-r` is used to resize file system
79 |
80 | * `lvreduce -L -1G -r vgname/volumename ` reduce the logical volume *volumename* of one giga
81 |
82 | ## Create and configure encrypted storage
83 |
84 | * To use encrypted storage a kernel module must be loaded
85 | * `sudo modprobe dm_crypt` Loads kernel module dm_crypt
86 | * `echo dm_crypt >> /etc/modules-load.d/dm_crypt.conf` to load dm_crypt module automatically when system will be restarted
87 | * `lsmod` lists all loaded kernel modules
88 | * `yum -y install cryptsetup` install software used to manage encrypted storage
89 |
90 |
91 |
92 | Encrypt
93 |
94 | * `cryptsetup luksFormat /dev/vgname/volumename` encrypts a logical volume *volumename* contained in *vgname* volume group
95 |
96 | * A password must be provided
97 | * When confirmation will be required insert a capital YES
98 |
99 | * **NOTE**: this command can be used with physical volume as well
100 |
101 | * `cryptsetup open --type luks /dev/vgname/volumename namenewdevice`
102 |
103 | It open encrypted volume and associate it to a new device called *namenewdevice*
104 |
105 | * Password must be provided
106 |
107 | * `mkfs.ext4 /dev/mapper/namenewdevice`
108 |
109 | It creates a file system in *namenewdevice*
110 |
111 | Now new the new device can be mounted
112 |
113 |
114 |
115 | Close device
116 |
117 | * Unmount device
118 | * `cryptsetup close namenewdevice`close *namenewdevice*
119 |
120 |
121 |
122 | Automount
123 |
124 | * `echo "passwd" >> /root/key` Insert a string that will be used that will be used as authentication key to open device
125 |
126 | * `chmod 400 /root/key` reduces permission on key file
127 | * `cryptsetup luksAddKey /dev/mapper/namenewdevice /root/key` add key to encrypted device called *namenewdevice*
128 | * Edit `/etc/crypttab` and add below row:
129 | * `namenewdevice /dev/vgname/volumename /root/key`
130 |
131 | * Add below row to `/etc/fstab`
132 | * `/dev/mapper/namenewdevice /mnt/mountpoint ext4 defaults 0 0`
133 |
134 | * Reboot system or reload system manager
135 | * `systemctl daemon-reload`
136 | * The new encrypted volume will be mounted on `/mnt/mountpoint`
137 |
138 | ## Configure systems to mount file systems at or during boot
139 |
140 | * Edit `/etc/fstab` adding a row similar to:
141 |
142 | * /dev/sdb1 /mnt/mountpoint ext4 defaults 0 0
143 |
144 | * Mount device sdb1 to mountpoint.
145 |
146 | * Device is formatted using ext4 filesystem.
147 |
148 | * Default mount options are used
149 | * 0 0 -> Dump (bkp) and fsck.
150 | * First 0 means no backup required
151 | * Second 0 means no fsck required in case of not correct umount. To enable fsck insert 2 because number indicate the check order, and 1 is given to operating system disk and two do data disks
152 |
153 | * `mount` shows mounted volumes
154 |
155 | * `mount -a` reloads /etc/fstab
156 |
157 | * `mount -t type -o options device dir`
158 |
159 | * It mounts a *device* formatted with file system *type* on directory *dir* using a list of options
160 |
161 | * options can be:
162 | * async -> I/O asincrono
163 | * auto -> Can be mounted using mount -a
164 | * default ->Equal to this list of options: async,auto,dev,exec,nouser,rw,suid
165 | * loop -> To mount an ISO image
166 | * noexec -> no exec
167 | * nouser -> A user cannot mount this volume
168 | * remount -> Mount volume also if it is already mounted
169 | * ro -> Read only
170 | * rw -> Read an write
171 | * relatime -> Modify file access time (atime) if file is changed or one time a day. Alternative, to reduce disk traffic, noatime can be used. This is useful with SSD to avoid not useful write.
172 |
173 |
174 |
175 | SMB protocol
176 |
177 | * `yum -y install samba-client cifs-utils` it installs software need to manage CIFS/SMB protocol
178 |
179 | * `smbclient -L targetIP`
180 |
181 | It lists all SMB shared directory available on a target IP
182 |
183 | * root password must be provided
184 |
185 | * `mount -t cifs -o username=smbuser,password=1234pwd //192.168.0.10/share /media/samba`
186 |
187 | It mounts a directory *share*, shared by server 192.168.0.10 on samba directory. User and password to authentication are provided
188 |
189 | * Permanent configuration
190 | * `echo "username=smbuser" >> /media/smb/.smbconf`
191 | * `echo "password=1234pwd" >> /media/smb/.smbconf`
192 | * `chmod 600 /media/smb/.smbconf`
193 | * In `/etc/fstab` insert:
194 | * `//192.168.0.10/share /media/samba cifs credentials=/media/samba/.smbcredentials,defaults 0 0`
195 |
196 |
197 |
198 | NFS protocol
199 |
200 | * `yum -y install nfs-utils` it install software to manage NFS protocol
201 |
202 | * `showmount -e targetIP`
203 |
204 | It lists all NFS shared directory available on a target IP
205 |
206 | * `mount -t nfs -o defaults 192.168.0.10:/srv/nfs /media/nfs`
207 |
208 | It mounts a directory *nfs*, shared by server 192.168.0.10 on nfs directory
209 |
210 | * Permanent configuration
211 |
212 | * In `/etc/fstab` insert:
213 | * `192.168.0.10:/srv/nfs /media/nfs nfs defaults 0 0`
214 | * To user NFSv3 insert:
215 | * `192.168.0.10:/srv/nfs /media/nfs nfs defaults,vers=3 0 0`
216 |
217 | ## Configure and manage swap space
218 |
219 | * To use a device as swap space:
220 | * `mkswap /dev/sdb3`
221 | * `swapon -v /deb/sdb3`
222 | * In `/etc/fstab` insert:
223 | * * `/dev/sdb3 swap swap defaults 0 0`
224 |
225 | ## Create and manage RAID devices
226 |
227 | Concepts:
228 |
229 | * Parity disk. It is used to provide fault tolerance.
230 | * The spare device. It not take part of RAID and it is used only in case of a disk fault. In this case spare enter in the RAID and the content of lost disk is reconstructed and saved on it.
231 |
232 |
233 |
234 | * `yum -y install mdadm` installs software to manage RAID devices
235 | * RAID 0 - Striped - No spare
236 |
237 | * `mdadm --create --verbose /dev/md0 --level=stripe --raid-devices=2 /dev/sdb1 /dev/sdc1`
238 | * RAID 1 - Mirror
239 |
240 | * `mdadm --create --verbose /dev/md0 --level=1 --raid-devices=2 /dev/sdb1 /dev/sdc1`
241 |
242 | * RAID 5 - (1 parity + 1 spare)
243 | * `mdadm --create --verbose /dev/md0 --level=5 --raid-devices=3 /dev/sdb1 /dev/sdc1`
244 | `/dev/sdd1 --spare-devices=1 /dev/sde1`
245 | * RAID 6 - (2 parity + 1 spare)
246 | * `mdadm --create --verbose /dev/md0 --level=6 --raid-devices=4 /dev/sdb1 /dev/sdc1`
247 | `/dev/sdd1 /dev/sde --spare-devices=1 /dev/sdf1`
248 |
249 | * RAID 10 - (Stripe + Mirror + 1 spare)
250 |
251 | * `mdadm --create --verbose /dev/md0 --level=10 --raid-devices=4 /dev/sd[b-e]1 --spare-devices=1 /dev/sdf1`
252 |
253 |
254 |
255 | * `mdadm --detail /dev/md0` shows status of RAID device
256 | * To use device md0, format it and use as a classical device
257 |
258 |
259 |
260 | Monitoring RAID devices
261 |
262 | * `mdadm --assemble --scan`
263 | * `mdadm --detail --scan >> /etc/mdadm.conf`
264 | * `echo "MAILADDR root" >> /etc/mdadm.conf`
265 | * `systemctl start mdmonitor`
266 | * `systemctl enable mdmonitor`
267 |
268 |
269 |
270 | Add disk
271 |
272 | * `mdadm /dev/md0 --add /dev/sbc2`
273 |
274 | * `mdadm --grow --raid-devices=4 /dev/md0`
275 |
276 | It adds a spare disk and after it grows array
277 |
278 |
279 |
280 | Remove disk
281 |
282 | * `mdadm /dev/md0 --fail /dev/sdc1 --remove /dev/sdc1`
283 |
284 | `mdadm --grow /dev/md0 --raid-devices=2`
285 |
286 | It mark disk as failed and remove it. After the size of array must be adjusted
287 |
288 |
289 |
290 | Delete RAID
291 |
292 | * Unmount device
293 | * `mdadm --stop /dev/md0`
294 | * `mdadm --zero-superblock /dev/sbc2` It clean partition that, after, can be reused
295 |
296 |
297 |
298 | References:
299 |
300 | * [https://raid.wiki.kernel.org/index.php/A_guide_to_mdadm](https://raid.wiki.kernel.org/index.php/A_guide_to_mdadm)
301 |
302 | ## Configure systems to mount file systems on demand
303 |
304 | * `yum -y install autofs` installs software need to manage automount
305 |
306 |
307 |
308 | Automount NFS directory
309 |
310 | * Edit `/etc/auto.master` and insert:
311 | * `/media /etc/nfs.misc --timeout=60`
312 |
313 | * Edit `/etc/nfs.misc` and insert:
314 | * `nfs -fstype=nfs 192.168.0.10:/srv/nfs`
315 | * `systemctl start autofs`
316 |
317 | ## Create, manage and diagnose advanced file system permissions
318 |
319 | **ACL Access control list**
320 |
321 | * They must be supported by filesystem
322 |
323 | * With some old filesystem a mount option (e.g. *acl*) must be provided to enable ACL
324 |
325 |
326 |
327 | * `getfacl file` shows ACL applied to a file
328 |
329 | * `setfacl -R -m g:sales:rx file` set ACL on file
330 |
331 | * `-R` recursive, if file is a directory, ACL will be applied to all file inside it
332 | * `-m` modify
333 | * `g:sales:rx` group sales can read and execute
334 | * `g` group
335 | * `u` user
336 | * `o` other
337 |
338 | * `setfacl -m u:dummy:- file` remove all permissions of user dummy.
339 |
340 | * `setfacl -m d:g:sales:rx directory` set a default ACL to a directory. In this way all files created inside it will have same ACL as default
341 |
342 | The default ACL is a specific type of permission assigned to a directory, that doesn’t change the permissions of the directory itself, but makes so that specified ACLs are set by default on all the files created inside of it
343 |
344 | * If an ACL is applied, when `ls -la` is executed an + is inserted after other permissions
345 |
346 | * `setfacl -x u:test:w test` remove ACL
347 |
348 | * `setfacl -b file` removes all ACL
349 |
350 |
351 |
352 | **Extended attributes**
353 |
354 | * They are file properties
355 | * With some old filesystem a mount option (e.g. *user_xattr*) must be provided to enable extended attributes
356 |
357 |
358 |
359 | * Only root user can remove an attribute
360 | * `chattr +i file` add *immutable* attribute to a file. It cannot be deleted or removed
361 | * `chattr -i file` remove *immutable* attribute from a file.
362 | * `lsattr file` shows file's extended attributes
363 |
364 |
365 |
366 | ## Setup user and group disk quotas for filesystems
367 |
368 | * **Quota**: space that can be used by an user on one specific filesystem
369 | * NOTE: To limit space in a directory it is better create a specific mount point with a specific partition
370 | * `yum -y install quota` installs software need to manage quota
371 | * *usrquota,grpquota* mount options must be inserted for filesystem to which enable quota (e.g. editing `/etc/fstab`)
372 | * After that options are inserted, remount partition to enable them
373 | * After remount execute `quotacheck -mavug` that check used blocks and inserted them in a tracking file
374 | * Two files will be created:
375 | * aquota.group
376 | * aquota.user
377 | * `quotaon -a` start quota system
378 | * Alternative:
379 | * `quotaon -vu /mnt/mountpoint` it starts only quota user for specific mountpoint
380 | * `quotaon -vg /mnt/mountpoint` it starts only quota group for specific mountpoint
381 | * `quota -vu user` shows user's quota
382 | * The quota is specified in blocks of 1K size and in number of inode that is the number of files that can be created
383 | * Hard limit: maxim value allowed
384 | * Soft limit: a limit that can be exceeded for a *grace period*. Default *grace period* is a week
385 | * When grace period is reached, soft limit become and hard limit
386 | * `edquota -t` Edit the grace period. Is an unique value for all system
387 | * `edquota -u user` edit user's quota
388 | * In each column can be insert a value for soft and hard limit for blocks and inode
389 | * **NOTE**: Normally soft and hard limits are configured equal to avoid confusion
390 | * `repquota -aug` It shows an overview of current quota for each users
391 |
392 | ## Create and configure file systems
393 |
394 | * `mkfs.ext4 /dev/sdb1` creates an filesystem ext4 on sdb1 partition
395 | * `fsck.ext4 /dev/sdb1` checks the integrity of sdb1 filesystem
396 |
--------------------------------------------------------------------------------
/ServiceConfiguration.md:
--------------------------------------------------------------------------------
1 | # Service Configuration
2 |
3 | ## Configure a caching DNS server
4 |
5 | 
6 |
7 | * Linux DNS server is *bind*
8 |
9 | * `yum -y install bind bind-utils`
10 |
11 | * Main configuration file `/etc/named.conf`
12 |
13 | * Most important configurations:
14 |
15 | ```bash
16 | options {
17 | listen-on port 53 { 127.0.0.1; 192.168.0.0/24; };
18 | ...
19 | allow-query { localhost; 192.168.0.0/24; };
20 | allow-query-cache { localhost; 192.168.0.0/24; };
21 | ...
22 | recursion yes;
23 | forwarders {
24 | 8.8.8.8;
25 | 8.8.4.4;
26 | };
27 | ...
28 | };
29 |
30 | zone "test.com." IN {
31 | type master;
32 | file "/var/named/test.com.zone";
33 | };
34 |
35 | zone "0.168.192.in-addr.arpa" IN {
36 | type master;
37 | file "/var/named/rev.test.com.zone";
38 | };
39 | ```
40 |
41 | * `listen-on port 53` tell on which network interfaces and port to accept client queries.
42 |
43 | * `allow-query` defines the networks from which clients can post DNS requests.
44 |
45 | * `allow-query-cache` defines the addresses/networks from which clients are allowed to issue queries that access the local cache.
46 |
47 | * `forwarders` specifies the name servers to which DNS requests should be forwarded if they cannot be resolved directly.
48 |
49 | * `zone` contains domain configuration. After `zone`, specify the name of the domain to administer.
50 |
51 | * `file` specifies the file where zone data for the domain is located.
52 |
53 | * `zone "0.168.192.in-addr.arpa"` is the configuration for reverse zone or reverse lookup. A reverse zone allows DNS to convert from an address to a name.
54 |
55 | * `0.168.192` must be substituted with the first three octets of whatever network addresses range are managed
56 |
57 |
58 | * `systemctl start named` start bind server
59 |
60 |
61 |
62 |
63 | References:
64 |
65 | * [http://web.deu.edu.tr/doc/oreily/networking/dnsbind/ch02_06.htm](http://web.deu.edu.tr/doc/oreily/networking/dnsbind/ch02_06.htm)
66 | * [https://www.pks.mpg.de/~mueller/docs/suse10.1/suselinux-manual_en/manual/sec.dns.named.html](https://www.pks.mpg.de/~mueller/docs/suse10.1/suselinux-manual_en/manual/sec.dns.named.html)
67 |
68 |
69 |
70 | ## Maintain a DNS zone
71 |
72 | - `/var/named/test.com.zone` contents
73 |
74 | ```bash
75 | $TTL 3H
76 | @ IN SOA dns root.test.com. (
77 | 0 ; serial
78 | 1D ; refresh
79 | 1H ; retry
80 | 1W ; expire
81 | 3H ) ; minimum
82 | IN NS dns
83 | IN MX 10 email
84 |
85 | dns IN A 192.168.0.29
86 | email IN A 192.168.0.29
87 | web IN A 192.168.0.29
88 | www.web IN CNAME web
89 | ```
90 |
91 | - Line 2: This is where the SOA (start of authority) control record begins.
92 | - `@` means that zone name will be extracted from the corresponding entry in `/etc/named.conf` (in this example test.com.)
93 | - `dns` is the name of authoritative server for the zone
94 | - `root.test.com.` an e-mail address of the person in charge of this name server. Because the `@` sign already has a special meaning, `.` is entered here instead. For `root@test.com` the entry must read`root.test.com.`
95 | - Line 8: The `IN NS` specifies the name server responsible for this domain (authoritative server)
96 | - Line 9: The `MX` record specifies the mail server that accepts, processes, and forwards e-mails for this domain
97 | - Last lines: These are the actual address records where one or more IP addresses are assigned to hostnames.
98 | - CNAMES maps a name on another name
99 |
100 | * `/var/named/rev.test.com.zone` contents:
101 |
102 | ```bash
103 | $TTL 3H
104 | @ IN SOA dns.test.com. root.test.com. (
105 | 0 ; serial
106 | 1D ; refresh
107 | 1H ; retry
108 | 1W ; expire
109 | 3H ) ; minimum
110 | IN NS dns.test.com.
111 |
112 | 29 IN PTR dns.test.com.
113 | ```
114 |
115 | * Line 2: The configuration file should activate reverse lookup for the network `192.168.1.0`. Given that the zone is called `1.168.192.in-addr.arpa`, should not be added to the hostnames. Therefore, all hostnames are entered in their complete form—with their domain and with a `.` at the end. The remaining entries correspond to those described for the `test.com.` zone
116 | * Line 8: This line specifies the name server responsible for this zone. This time, however, the name is entered in its complete form with the domain and a `.` at the end.
117 | * Line 10: This is the pointer record hinting at the IP addresses on the respective hosts. Only the last part of the IP address is entered at the beginning of the line, without the `.` at the end.
118 |
119 |
120 |
121 | * **NOTE**: Examples of configuration files are contained in `/usr/share/doc/bind-9.9.4/sample`
122 |
123 | * `bind` directory name depends by installed version
124 |
125 |
126 | * To check name resolution is possible to use `host`
127 | * `host name_to_resolve dns_server_ip`
128 | * E.g. `host dns localhost`
129 | * E.g of reverse zone `host 192.168.0.29 localhost`
130 |
131 | References:
132 |
133 | * [https://www.pks.mpg.de/~mueller/docs/suse10.1/suselinux-manual_en/manual/sec.dns.zonefile.html](https://www.pks.mpg.de/~mueller/docs/suse10.1/suselinux-manual_en/manual/sec.dns.zonefile.html)
134 |
135 | ## Configure email aliases
136 |
137 | * To manage mail spool
138 |
139 | * `yum -y install mailx`
140 | * `mailx` reads the user's mail spool
141 |
142 | * Send an email to spool
143 |
144 | * `echo "Test" | mail -s "Oggetto" root`
145 |
146 | *root* is target user
147 |
148 |
149 |
150 | * To create an alias edit file `/etc/aliases`
151 |
152 | * Add line like `root: user,root`
153 |
154 | This create an alias for `root` and this means that email for root will be sent to `user` and `root` mail spool
155 |
156 | * `root: user@test.com`
157 |
158 | Whit this syntax will be added a classical email address
159 |
160 | * At the end of changes to `/etc/aliases` execute `newaliases` to apply changes
161 |
162 | ## Configure SSH servers and clients
163 |
164 | * `/etc/ssh/sshd_config` ssh server configuration file
165 | * `PermitRootLogin no` Disable `root` login with ssh client
166 | * `PasswordAuthenticaion no` Disable login with password. This means that only login with public and private keys is allowed
167 | * `/etc/ssh/ssh_config` ssh client configuration file
168 | * `ForwardX11 yes` allows use of X11 Server with ssh
169 |
170 |
171 |
172 | Server management
173 |
174 | * `systemctl status sshd` to control ssh server status
175 | * `systemctl stop sshd` stop ssh server
176 | * `systemct start sshd` start ssh server
177 | * `systemctl restart sshd` restart ssh server
178 | * It must be executed each time configuration file will be changed
179 | * `systemctl disable sshd` disable the ssh server start at boot
180 | * `systemctl enable sshd` enable the ssh server start at boot
181 |
182 |
183 |
184 | Client commands
185 |
186 | * `ssh 129.123.123.123 ` it try to connect current user to an ssh server located on 192.123.123.123
187 | * `ssh root@129.123.123.123 ` it try to connect root user to an ssh server located on 192.123.123.123
188 | * `ssh -X root@129.123.123.123 `
189 | * `-X` enable X11 forwarding. This means that graphical application can be started
190 | * NOTE: It must be allowed on client configuration file as well.
191 |
192 | * First time that an ssh connection is established with a server, the server will send a public key that it is used to verify its identity.
193 | * The server public key is stored in the user's home inside file`.ssh/know_hosts`
194 | * E.g. `/home/user/.ssh/know_hosts`
195 |
196 |
197 |
198 | Authentication with public/private keys
199 |
200 | * On the ssh client machine a couple of ssh public/private keys can be generated using `ssh-keygen`
201 | * The keys will be stored in the user's home inside directory `.ssh`
202 | * `id_rsa` private key
203 | * `id_rsa.pub` public key
204 | * `ssh-copy-id 123.123.123.123` it is used to copy current user public key to home directory of same user on ssh server. The key will be stored in the user's home inside file `.ssh/authorized_keys`
205 |
206 | * After that public key is copied on the server, user can use ssh client to login into the server without providing password
207 |
208 |
209 |
210 | scp
211 |
212 | * Secure copy. It use ssh to copy file on a server
213 | * `scp /test/source 123.123.123.123:/dest` It will copy local file /test/source in /dest directory on the server 123.123.123.123
214 | * `scp 123.123.123.123:/source /dest` It will copy source file from server to local directory dest
215 |
216 |
217 |
218 | ## Restrict access to the HTTP proxy server
219 |
220 | * To enable the use of a proxy server environment variable `http_proxy` must be configured
221 | * `export http_proxy=http://127.0.0.1:3128/` use a local proxy listening on port 3128
222 | * `export http_proxy=http://username:password@192.168.0.1:8080/` use a remote proxy on server 192.168.0.1, listening on port 8080 that require user and password
223 | * `unset http_proxy` Disable use of proxy
224 |
225 | * The keep configuration permanent for all user insert variable configuration in `/etc/environment`
226 |
227 | ## Configure an IMAP and IMAPS service
228 |
229 | * Server used to manage IMAP protocol is dovecot
230 |
231 | * `yum -y install dovecot`
232 |
233 | * Basic configuration
234 |
235 | * `/etc/dovecot/dovecot.conf`
236 |
237 | * `protocols = imap pop3`
238 |
239 | This will enable imap and pop3 protocol
240 |
241 | * `/etc/dovecot/conf.d/10-mail.conf`
242 |
243 | * `mail_location = maildir:~/Maildir`
244 |
245 | This indicate to server where is located mail file
246 |
247 | * `/etc/dovecot/conf.d/10-ssl.conf`
248 |
249 | * Nothing to change, default configuration will enable ssl version of protocols that are enable in `dovecot.conf`
250 |
251 | ## Query and modify the behavior of system services at various operating modes
252 |
253 | * `/usr/lib/systemd/system` contain unit file *.service* used by systemctl to start various service
254 | * `/etc/systemd/system` can contain unit file that "override" the files contained in /usr/lib/systemd/system. If a unit file for a service is present in this directory, it will be used in substitution of file present in /usr.
255 | * The correct way to permanently alter a start property of a service is to copy original file from `/usr/lib/systemd/system` to `/etc/systemd/system` and modify copy
256 | * From the output of `system status service` it is possible to find from which file service was start`ed`
257 | * `Loaded` show the name of .service file used
258 | * Under `[install]` session, voice `WantedBy` indicates for which target service is required
259 | * When a service is enabled, a symbolic link to file `.service` of service will be created in `/etc/systemd/system/targetname.target.wants` where *targetname* is the name of target for which service is required
260 |
261 |
262 |
263 | * Some service properties can be changed at runtime
264 |
265 | * `systemctl set-property httpd.service MemoryLimit=500M`
266 |
267 | Command will change property and will create a file in `/etc/systemd/system` for future boot
268 |
269 | * `system status service` will show
270 |
271 | * `Loaded` will show the name of .service file used
272 |
273 | * `Drop-in` will show the change in `/etc/systemd`
274 |
275 |
276 | * `systemctl list-dependencies service` It will show service dependencies
277 |
278 | ## Configure an HTTP server
279 |
280 | * Used server: Apache HTTP Server
281 | * `yum -y install httpd` will install server
282 | * `systemctl start httpd` will start server
283 | * `/etc/httpd/conf/httpd.conf` is the principal configuration file
284 | * `ServerName localhost` contains the local server name.
285 | * **NOTE**: it must correspond to an IP. Simple solution is to modify /etc/hosts to insert a name-IP mapping
286 | * Virtual host can be created inserting a file *.conf* in `/etc/httpd/conf.d/`
287 | * E.g. `/etc/httpd/conf.d/file.conf`
288 | * The file structure can be copied from `/usr/share/doc/httpd-2.4.6/httpd-vhosts.conf`
289 | * **NOTE**: The version depends by server version installed
290 | * Normally as *DocumentRoot*, directory that will contain site's files, it will be used a directory in `/var/www`
291 |
292 | ## Configure HTTP server log files
293 |
294 | * E.g.
295 |
296 | ```bash
297 | ErrorLog /var/log/httpd/example.com_error_log
298 | LogFormat %s %v combined
299 | CustomLog /var/log/httpd/example.com_access_log combined
300 | ```
301 |
302 | * This will generate store Error log in /var/log/httpd/example.com_error_log
303 |
304 | * Plus will generate a log with a custom format in /var/log/httpd/example.com_access_log
305 |
306 | * Normally log are stored in /var/log/httpd
307 |
308 |
309 |
310 | * `yum -y install httpd-manual` will install httpd manuals
311 | * Manuals are in http format
312 | * In `/usr/share/httpd/manual/vhosts` are stored manual for vhost
313 |
314 | ## Configure a database server
315 |
316 | * Used database: MariaDB
317 | * `yum -y install mariadb mariadb-server` will install database
318 | * `systemctl start mariadb` will start database
319 | * `mysql -u root -p` will connect to database as root database user
320 | * Default password is blank
321 | * `mysql_secure_installation` improves MariaDB security
322 | * It will permit to configure root password
323 |
324 | ## Restrict access to a web page
325 |
326 | * Edit `/etc/httpd/conf/httpd.conf` and change
327 |
328 | ```bash
329 |
330 | AllowOverride All
331 | ```
332 |
333 | * In subdirectory of `/var/www` where site pages are contained create a file `.htaccess` whit follow content:
334 |
335 | ```bash
336 | Order Deny, Allow
337 | Deny from 192.168.3.1
338 | ```
339 |
340 | This will deny accesso to pages from IP 192.168.3.1 and allow access from all other IPs
341 |
342 | * Alternatively:
343 |
344 | ```
345 | Order Allow, Deny
346 | Allow from 192.168.3.1
347 | ```
348 |
349 | This will allow access to pages from IP 192.168.3.1 and deny access from all other IPs
350 |
351 | ## Manage and configure containers
352 |
353 | * Concepts:
354 | * *Images*: Read only template used to create container.
355 | * *Container*: Isolated application platform, it contains all the need to execute application
356 |
357 |
358 |
359 | * `yum install docker` It will install docker
360 | * `systemctl start docker`It start docker
361 | * `docker version` to test if docker is working properly
362 | * `usermod -aG dockerroot user`
363 | * This will enable *user* to use docker
364 | * `docker search java`
365 | * Search java image in docker hub
366 | * `docker images`
367 | * List local images
368 | * Run container, examples:
369 | * `docker run busybox ls`
370 | * `docker run busybox echo "hello"`
371 | * `docker run centos:7 ping 127.0.0.1`
372 | * `docker run -i -t centos:7 bash`
373 | * Run container with terminal
374 | * `-i` connects standard input to container
375 | * `-t` get pseudo terminal
376 | * **NOTA**: `ctrl+p+q` exit form terminal without terminate container execution
377 | * `docker run -d centos:7 ping 127.0.0.1`
378 | * Container will be executed in detached mode. This means that is in execution in background and not attached to Bash shell
379 | * `docker ps -a`
380 | * List all container
381 | * `-a` show container stopped as well
382 | * `docker attach containername`
383 | * Attach to container in detached mode
384 | * `docker logs containername`
385 | * Show logs of a container
386 | * `docker run -d -P nginx`
387 | * Map container ports to host ports
388 | * **NOTE**: *firewalld* must be enable and running
389 | * `docker run -d -P --restart always nginx`
390 | * This container will be restarted at bootstrap if the guest host will be restarted
391 | * `docker update --restart=no containername`
392 | * Disable auto restart at bootstrap
393 | * Stop container:
394 | * `docker stop containername`
395 | * `docker kill containername` forced stop
396 | * `docker start name`
397 | * Restart a stopped container
398 | * `docker rm containername`
399 | * Remove a container
400 | * **NOTE**: It must be stopped
401 | * `docker rmi imageid`
402 | * Remove local image
403 | * `docker diff containername`
404 | * List differences between container and original images. E.g. Some software can be installed in running container
405 | * `docker commit containername`
406 | * Create a new image using based on the content of current running container. E.g It will contain software that was installed in container
407 |
408 | ## Manage and configure Virtual Machines
409 |
410 | * `yum install qemu-kvm qemu-img libvirt virt-install libvirt-client` this will install all tools need to manage and configure virtual machines
411 | * `systemctl start libvirtd` this will start daemon need to manage virtual enviroments
412 |
413 |
414 |
415 | Manage storage volume
416 |
417 | * Concepts:
418 |
419 | * Storage Pool -> Container of storage volumes (e.g. directory, partitions)
420 | * Storage Volume -> virtual disk
421 |
422 | * Create a Storage Pool:
423 |
424 | * `virsh pool-define-as spool dir - - - - "/media/vdisk/"`
425 | * `virsh pool-build spool`
426 | * `virsh pool-start spool`
427 |
428 | * `virsh pool-autostart spool`
429 |
430 | * In files `/etc/libvirt/storage/*.xml` you can find info about storage pool
431 |
432 | * Create a virtual disk
433 |
434 | * `qemu-img create -f raw /media/vdisk/disk.img 1G` size will be 1G
435 |
436 |
437 |
438 | Manage Virtual Machines
439 |
440 | * If you what that *root* will be able to execute virtual machines, in `/etc/libvirt/qemu.conf` uncomment `user=root` and `group=root` and after restart *libvirtd* daemon with `systemctl`
441 | `restart libvirtd`
442 |
443 | * Create a Virtual Machine
444 |
445 | * `virt-install --name=rhel7 --disk path=/mnt/personal-data/SPool1/SVol1.img,size=2 --vcpu=1 --ram=1024 --location=/run/media/dos/9e6f605a-f502-4e98-826e-e6376caea288/rhel-server-7.0-x86_64-dvd.iso --network bridge=virbr0 --graphics none --extra-args console=ttyS0`
446 | * This will prepare a new virtual machine named *rhel7* with 1 virtual cpu, 1G of RAM, and a virtual disk of 2G.
447 | * After creation, virtual machine will be booted for the first time ad a provided ISO image will be executed. Normally ISO will be an operating system installation disk
448 | * Virtual Machine is configured to not use graphical environment and plus a configuration to allow a connection from the local machine is set
449 |
450 | * Virtual Machine management
451 |
452 | * `virsh list --all`
453 |
454 | List all available virtual machines in any state
455 |
456 | * `virsh start rhel7`
457 |
458 | Start a virtual machine called rhel7
459 |
460 | * `virsh shutdown rhel7`
461 |
462 | Shutdown virtual machine called rhel7
463 |
464 | * `virsh destroy rhel7`
465 |
466 | Forced shutdown of a virtual machine called rhel7
467 |
468 | * `virsh undefine rhel7`
469 |
470 | Delete a virtual machine called rhel7
471 |
472 | * `virsh console rhel7`
473 |
474 | Establish a connection toward virtual machine called rhel7
475 |
476 | **NOTE**: console must be configured in virtual machine
477 |
478 | `ctrl+5` to exit
479 |
480 | * `virsh autostart rhel7`
481 |
482 | Set the virtual machine to re-start if hosting machine will be rebooted
483 |
484 | * `virsh autostart --disable rhel7`
485 |
486 | Disable autostart
487 |
488 | * Edit virtual machine
489 |
490 | * `virsh dominfo rhel7`
491 |
492 | It shows virtual machine information
493 |
494 | * `virsh edit rhel7`
495 |
496 | Edit configuration file of virtual machine called rhel7
497 |
498 | * `virsh vcpucount rhel7`
499 |
500 | It shows the number of virtual cpu
501 |
502 | * **maximum config**: Specifies the maximum number of virtual CPUs that can be made available for the virtual server after the next restart.
503 |
504 | * **maximum live**: Specifies the maximum number of virtual CPUs that can be made available for the running or paused virtual server. If you change maximum this can be different until virtual machine is rebooted
505 |
506 | * **current config**: Specifies the actual number of virtual CPUs which will be available for the virtual server with the next restart.
507 |
508 | * **current live**: Specifies the actual number of virtual CPUs which are available for the running or paused virtual server
509 |
510 | * `virsh setvcpus --count 2 rhel7 --maximum --config`
511 |
512 | It sets the maximum number of virtual cpu in configuration file to 2.
513 |
514 | It require virtual machine reboot to be applied. After reboot maximum live will be aligned
515 |
516 | * `virsh setvcpus --count 2 rhel7 --config`
517 |
518 | It sets the configure for virtual machine. This value its the value with which virtual machine will be booted
519 |
520 | * `virsh setvcpu --count 2 rhel7`
521 |
522 | Set the number of virtual cpu (current live).
523 |
524 | Number must be less or equal to maximum live.
525 |
526 | You cannot remove virtual CPUs from a running virtual server
527 |
528 | * `virsh setmaxmem --size 2G rhel7`
529 |
530 | It sets the maximum amount of virtual machine memory
531 |
532 | Virtual machine must be off
533 |
534 | * `virsh setmem --size 2G rhel7`
535 |
536 | It sets the amount of virtual machine memory
537 |
538 | Virtual machine must be running
539 |
540 |
541 |
542 | References:
543 |
544 | * [https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.ldva/ldva_t_modifyingCPUNumber.html](https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.ldva/ldva_t_modifyingCPUNumber.html)
545 |
--------------------------------------------------------------------------------
/OperationofRunningSystems.md:
--------------------------------------------------------------------------------
1 | # Operation of Running Systems
2 |
3 | ## Boot, reboot, and shut down a system safely
4 |
5 | * `shutdown -h now` shutdown
6 | * `shutdown -r now` reboot
7 |
8 | ## Boot or change system into different operating modes
9 |
10 | Boot sequence:
11 |
12 | * POST (PowerOn Self Test) -> Find disk -> Inside disk there's bootloader -> bootloader load kernel -> kernel load init process
13 |
14 | * Systemd is the default init process in CentOS
15 | * Systemd starts services. Last service started will be a shell
16 |
17 |
18 |
19 | Systemd
20 |
21 | * Previous versions of Red Hat Enterprise Linux, which were distributed with SysV init or Upstart, implemented a predefined set of runlevels that represented specific modes of operation. These runlevels were numbered from 0 to 6 and were defined by a selection of system services to be run when a particular runlevel was enabled by the system administrator. In CentOS and Red Hat Enterprise Linux 7, the concept of runlevels has been replaced with systemd targets.
22 |
23 | * Systemd targets are represented by target units. Target units end with the .target file extension and their only purpose is to group together other systemd units through a chain of dependencies.
24 |
25 | * Systemd units are the objects that systemd knows how to manage. These are basically a standardized representation of system resources that can be managed by the suite of daemons and manipulated by the provided utilities.
26 |
27 | * Systemd units in some ways can be said to similar to services or jobs in other init systems. However, a unit has a much broader definition, as these can be used to abstract services, network resources, devices, filesystem mounts, and isolated resource pools.
28 |
29 | * Systemd was designed to allow for better handling of dependencies and have the ability to handle more work in parallel at system startup.
30 |
31 |
32 |
33 | Systemd commands:
34 |
35 | * `systemctl get-default`
36 |
37 | It shows default target
38 |
39 | * `systemctl list-units --type target --all`
40 |
41 | It shows all available targets
42 |
43 | * `systemctl set-default multi-user.target`
44 |
45 | Set multi-user target as default
46 |
47 |
48 |
49 | Change target at boot time
50 |
51 | * If during boot ESC is pressed the grub2 prompt will be showed
52 |
53 | * Highlight a voice and press 'e'
54 |
55 | * Now is it possible to modify the boot parameter used to load the kernel.
56 |
57 | **NOTE**: the changes are not persistent
58 |
59 | E.g `systemd.unit=emergency.target` can be added to boot system in emergency mode. NOTE: in this modality disk is mounted read only, to mount it read/write, after boot execute `mount`
60 | `-o remount,rw /`
61 |
62 | * When the parameter change is end, press 'Ctrl + x' to boot system
63 |
64 |
65 |
66 | References:
67 |
68 | * [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sect-managing_services_with_systemd-targets](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sect-managing_services_with_systemd-targets)
69 | * [https://en.wikipedia.org/wiki/Power-on_self-test](https://en.wikipedia.org/wiki/Power-on_self-test)
70 | * [https://www.digitalocean.com/community/tutorials/understanding-systemd-units-and-unit-files](https://www.digitalocean.com/community/tutorials/understanding-systemd-units-and-unit-files))
71 |
72 | ## Install, configure and troubleshoot bootloaders
73 |
74 | * The default bootloader is Grub2.
75 |
76 | * The to change bootloader configuration edit /etc/default/grub
77 |
78 | `vi /etc/default/grub`
79 |
80 | * The configuration information can be found with:
81 |
82 | * `info -f grub -n 'Simple configuration'`
83 |
84 | * `man 7 bootparam`
85 |
86 | It shows the kernel boot parameter
87 |
88 | * check the firmware before compilation
89 |
90 | `ls -larth /sys/firmware`
91 |
92 | * if its efi then
93 |
94 | `grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg`
95 |
96 | else
97 |
98 | `grub2-mkconfig -o /boot/grub2/grub.cfg`
99 |
100 | * if no errors during compilation then reboot otherwise kernel might enter panic state and wont reboot
101 |
102 | `reboot now`
103 |
104 |
105 | ## Diagnose and manage processes
106 |
107 | mpstat
108 |
109 | * `yum -y install sysstat`
110 |
111 | * `mpstat -P ALL -u 2 3`
112 |
113 | CPU usage statistics.
114 |
115 | `-P` Indicate the processor number for which statistics are to be reported, ALL for all cpu
116 |
117 | `-u` Report CPU utilization
118 |
119 | `2 3` Display three reports at two second intervals.
120 |
121 |
122 |
123 | ps
124 |
125 | * `ps` Processes of which I'm owner
126 |
127 | * `ps aux` All processes.
128 |
129 | It will print:
130 |
131 | * user - user owning the process
132 |
133 | * pid - process ID of the process
134 | * It is set when process start, this means that provide info on starting order of processes
135 |
136 | * %cpu - It is the CPU time used divided by the time the process has been running.
137 |
138 | * %mem - ratio of the process’s resident set size to the physical memory on the machine
139 |
140 | * VSZ (virtual memory) - virtual memory usage of entire process (in KiB)
141 |
142 | * RSS (resident memory) - resident set size, the non-swapped physical memory that a task has used (in KiB)
143 |
144 | * tty - On which process is running.
145 | * **NOTE**: *?* means that isn't connect to a tty
146 |
147 | * stat - process state
148 |
149 | * start- starting time or date of the process
150 |
151 | * time - cumulative CPU time
152 |
153 | * command - command with all its arguments
154 |
155 | * Those within *[ ]* are system processes or kernel thread
156 |
157 | * `ps -eo pid,ppid,cmd,%cpu,%mem --sort=-%cpu`
158 |
159 | `-e` show same result of `aux`
160 |
161 | `-o` chose columns to show
162 |
163 | `--sort` sort by provided parameter
164 |
165 | `ppid` parent process id
166 |
167 | * `ps -e -o pid,args --forest`
168 |
169 | `--forest` show a graphical view of processes tree
170 |
171 |
172 |
173 | * In /proc/[pid]
174 |
175 | There is a numerical subdirectory for each running process; the subdirectory is named by the process ID.
176 |
177 | * /proc/[pid]/fd
178 |
179 | This is a subdirectory containing one entry for each file which the process has open, named by its file descriptor, and which is a symbolic link to the actual file. Thus, 0 is standard input, 1 standard output, 2 standard error, and so on.
180 |
181 |
182 |
183 | * `lsof -p pid`
184 |
185 | Lists open files associated with process id of pid
186 |
187 |
188 |
189 | Background processes
190 |
191 | * End a command with `&` execute a process in background
192 |
193 | `sleep 600 &`
194 |
195 | * `jobs`
196 |
197 | List processes in background
198 |
199 | * `fg pid`
200 |
201 | To return a process in foreground
202 |
203 |
204 |
205 | Process priority
206 |
207 | * `ps -e -o pid,nice,command`
208 |
209 | nice (NI) is the process priority
210 |
211 | * More priorities and more CPU time will be assigned to process
212 |
213 | * nice value can be between -20 and 90
214 |
215 | * -20 is highest and 90 is lowest
216 |
217 | * **NOTE**: only root can assign negative values
218 |
219 | * `nice -n value command &`
220 |
221 | It will execute command in background with nice equal to value
222 |
223 | * `renice` ri-assign priority to a process
224 |
225 | `renice -n value pid`
226 |
227 |
228 |
229 | Signals
230 |
231 | * `kill pid`
232 |
233 | Send a SIGTERM to process with pid equal to pid
234 |
235 | * `kill -9 pid`
236 |
237 | Send a SIGKILL to process with pid equal to pid
238 |
239 | * `kill -number pid`
240 |
241 | Send a signal that correspond to number to process with pid equal to pid
242 |
243 | * `kill -l`
244 |
245 | List all available signal and corresponding number
246 |
247 |
248 |
249 |
250 | References:
251 |
252 | * [https://superuser.com/questions/117913/ps-aux-output-meaning](https://superuser.com/questions/117913/ps-aux-output-meaning)
253 | * [http://man7.org/linux/man-pages/man5/proc.5.html](http://man7.org/linux/man-pages/man5/proc.5.html)
254 |
255 | ## Locate and analyze system log files
256 |
257 | * Usually log files are stored in `/var/log`
258 |
259 | * In Centos many tools use `rsyslog` to manage logs.
260 |
261 | * `rsyslog` is a daemon that permit the logging of data from different types of systems in a central repository
262 | * `/etc/rsyslog.conf` configuration file of rsyslog
263 | * `systemctl status rsyslog` to check execution status of rsyslog
264 |
265 |
266 |
267 | References:
268 |
269 | * [https://www.ittsystems.com/what-is-syslog/](https://www.ittsystems.com/what-is-syslog/)
270 |
271 |
272 |
273 | ## Schedule tasks to run at a set date and time
274 |
275 | * Daemon that schedule tasks, called jobs, to run at a set date and time is cron
276 | * The schedule of various tasks depend by configuration contained in below files/directories:
277 | * /etc/crontab
278 | * Normally isn't edited
279 | * **NOTE**: It's content can be used as remainder of cron files syntax
280 | * Each row is a task that must be executed in a scheduled way
281 | * A special syntax indicates the schedule of each commands
282 | * /etc/cron.d
283 | * It contains files with same syntax of /etc/crontab
284 | * Normally it used by software packages installed in system
285 | * /var/spool/cron
286 | * It contains tasks for users
287 | * Contents can be edited using `crontab` command
288 | * /etc/cron.hourly
289 | * Each script in this directory will be executed every hour
290 | * Exact time isn't specified but execution is granted, with a combination of deamon cron and anacron
291 | * /etc/cron.daily
292 | * Each script in this directory will be executed every day
293 | * Exact time isn't specified but execution is granted, with a combination of deamon cron and anacron
294 | * /ect/cron.weekly
295 | * Each script in this directory will be executed every week
296 | * Exact time isn't specified but execution is granted, with a combination of deamon cron and anacron
297 | * /etc/cron.monthly
298 | * Each script in this directory will be executed every month
299 | * Exact time isn't specified but execution is granted, with a combination of deamon cron and anacron
300 |
301 |
302 |
303 | To modify cron jobs:
304 |
305 | * `crontab -e` It is used by user to modify his jobs
306 | * `crontab -e -u user` It is used by root to modify user's jobs
307 |
308 | * Both commands will create a file in /var/spool/cron
309 | * `crontab -u user -l` print user's jobs or better show content of file in /var/spool/cron
310 |
311 |
312 |
313 | Cron syntax:
314 |
315 | ```bash
316 | # ┌───────────── minute (0 - 59)
317 | # │ ┌───────────── hour (0 - 23)
318 | # │ │ ┌───────────── day of the month (1 - 31)
319 | # │ │ │ ┌───────────── month (1 - 12)
320 | # │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday;
321 | # │ │ │ │ │ 7 is also Sunday on some systems)
322 | # │ │ │ │ │
323 | # │ │ │ │ │
324 | # * * * * * command to execute
325 | ```
326 |
327 | * `#` this line is a comment
328 | * `*` always
329 | * `1 0 * * * /command` command will be executed one minute past midnight (00:01) every day
330 | * `1-30 * * * * /command` command will be executed every day, every hour at minutes 1 to 30
331 | * `*/10 * * * * /command` command will be executed every 10 minutes, or rather when minutes are 00, 10, 20, 30, 40 and 50.
332 | * `00 */2 15 * * /command` command will be executed the fifteenth day of every month, every two hours
333 | * `00 1-9/2 1 5 * /command` command will be executed on 1st May at 1,00 - 3,00 - 5,00 - 7,00 - 9,00, or rather every two hours from 1,00 to 9,00
334 | * `00 13 2,8,14 * * /command` command will be executed second, eighth and fourteenth day of each month at 13.00
335 |
336 |
337 |
338 | at
339 |
340 | * `yum -y install at`
341 | * **NOTE**: it require that atd demon will be in execution
342 | * `systemctl start atd`
343 | * `systemctl enable atd`
344 | * `at 11:00` open a shell in which inserted commands that will be executed at 11:00
345 | * `ctrl+d` close shell
346 |
347 | * `atq` shows scheduled activities identified by an activity ID
348 | * `atrm ID` will remove from schedule activity with activity ID equal to ID
349 |
350 |
351 |
352 | References:
353 |
354 | * [https://en.wikipedia.org/wiki/Cron](https://en.wikipedia.org/wiki/Cron)
355 |
356 | * [http://guide.debianizzati.org/index.php/Utilizzo_del_servizio_di_scheduling_Cron](http://guide.debianizzati.org/index.php/Utilizzo_del_servizio_di_scheduling_Cron) (Italian language)
357 |
358 |
359 |
360 | ## Verify completion of scheduled jobs
361 |
362 | * Cron will send an email to internal mail spool
363 |
364 |
365 |
366 | * Enable the logging of crond events
367 | * Edit the /etc/rsyslog.conf and remove comment from this line:
368 |
369 | ```bash
370 | # Log cron stuff
371 | cron.* /var/log/cron
372 | ```
373 |
374 | * `systemctl restart rsyslog` it will restart rsyslog server
375 |
376 | ## Update software to provide required functionality and security
377 |
378 | * `yum update`
379 | * Yum also offers the upgrade command that is equal to update with enabled `obsoletes` configuration option. By default, obsoletes is turned on in `/etc/yum.conf`, which makes these two commands equivalent.
380 | * The `obsoletes` option enables the obsoletes process logic during updates.When one package declares in its spec file that it *obsoletes* another package, the latter package is replaced by the former package when the former package is installed. Obsoletes are declared, for example, when a package is renamed
381 |
382 |
383 |
384 | References:
385 |
386 | * [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-yum](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-yum)
387 |
388 | * [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-Configuring_Yum_and_Yum_Repositories#sec-Setting_main_Options](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-Configuring_Yum_and_Yum_Repositories#sec-Setting_main_Options)
389 |
390 |
391 |
392 | ## Verify the integrity and availability of resources
393 |
394 | * `/usr/lib/rpm/rpmdb_verify /var/lib/rpm/Packages` It will verify the integrity of rpm database
395 |
396 | ## Verify the integrity and availability of key processes
397 |
398 | * `systemctl status processname` It will show the status of process with name processname
399 | * The las rows are the recent logs generated by daemon
400 |
401 |
402 |
403 | * Other command to check processes status:
404 | * `ps`
405 | * `pgrep`
406 | * `mpstat`
407 |
408 | ## Change kernel runtime parameters, persistent and non-persistent
409 |
410 | * In /proc/sys are contained kernel tunables, parameters that are used to customize the behavior of system
411 |
412 | * Example
413 |
414 | * `cd /proc/sys/net/ipv6/conf/all`
415 |
416 | * `echo 1 > /proc/sys/net/ipv6/conf/alldisable_ipv6`
417 |
418 | Will disable IPv6
419 |
420 | * **NOTE**: This is a runtime change, not permanent
421 |
422 | * **NOTE**: With this files `vi` cannot be used
423 |
424 | * Alternative method: `sysctl -w net.ipv6.conf.all.disable_ipv6=1`
425 |
426 | * `sysctl -a` shows all parameters that can be configured
427 |
428 |
429 |
430 | To make configuration permanent
431 |
432 | * `cd /etc/sysctl.d`
433 | * `echo net.ipv6.conf.all.disable_ipv6 = 1 > ipv6.conf`
434 | * **NOTE**: the only request is that file will end with `.conf`
435 | * `sysctl -p` reload permanent configuration. Alternative: reboot system
436 |
437 |
438 |
439 | Some parameters changed commonly:
440 |
441 | * net.ipv4.ip_forward=0 disable packet forwarding
442 |
443 | * fs.file-max -> massimo numero di file gestibili
444 |
445 | * kernel.sysrq -> abilita printscreen key
446 |
447 | * net.ipv4.icmp_echo_ignore_all -> ignora ping
448 |
449 | ## Use scripting to automate system maintenance tasks
450 |
451 | Bash shell script:
452 |
453 | * `#!/bin/bash` must be first row
454 | * A Bash script is a plain text file which contains a series of commands or/and typical constructs of imperative programming
455 | * It is convention to give files that are Bash scripts an extension of **.sh**
456 |
457 | * `chmod +x nomefile.sh` must be executable
458 | * `./nomefile.sh` execute nomefile.sh
459 |
460 |
461 |
462 | References:
463 |
464 | * [https://ryanstutorials.net/bash-scripting-tutorial/bash-script.php](https://ryanstutorials.net/bash-scripting-tutorial/bash-script.php)
465 |
466 | ## Manage the startup process and services (In Services Configuration)
467 |
468 | * `systemctl` command used to manage servers. In Linux servers often are called *daemons*
469 |
470 | * `systemctl status processname` It will show the status of process with name processname
471 | * `Active` process status eg. inactive, active
472 | * `Loaded` unit file name
473 | * unit file name; enable - This means that daemon will be executed automatically at the next reboot
474 | * unit file name; disabled This means that daemon won't be executed automatically at the next reboot
475 | * The las rows are the recent logs generated by daemon
476 | * `systemctl start sshd` It will start sshd daemon
477 | * `systemctl stop sshd` It will stop sshd daemon
478 | * `systemctl restart sshd` It will restart sshd daemon
479 | * **NOTE**: A restart must be executed each time a daemon configuration file is changed
480 | * `systemctl disable sshd` Disable the execution of service at bootstrap
481 | * `systemctl enable sshd` Enable the execution of service at bootstrap
482 | * `systemctl is-enabled sshd` Check if daemon is enable or disabled in bootstrap sequence
483 | * `systemctl list-unit-files` List all systemd units object available
484 |
485 |
486 |
487 | References:
488 |
489 | * [https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units](https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units)
490 |
491 | ## List and identify SELinux/AppArmor file and process contexts
492 |
493 | * In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, IO devices, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules (aka policy) to determine if the operation is allowed.
494 | * In CentOS as MAC is used SELinux
495 | * SELinux can be in three states:
496 | * *enforcing*: Actions contrary to the policy are blocked and a corresponding event is logged in the audit log
497 | * *permissive*: Actions contrary to the policy are only logged in the audit log
498 | * *disabled*: The SELinux is disabled entirely
499 | * The status can be configured in file `/etc/sysconfig/selinux`. Changing to this file will be read only after reboot
500 | * When state is set to *enforcing* can be switched to *permissive* and vice versa without reboot system
501 | * When the state is set to disable the only way to re-enable SELinux is to change `/etc/sysconfig/selinux` and reboot
502 | * `getenforce` show the SELinux state
503 | * `setenforce Permissive` set the state to permissive
504 | * `setenforce Enforcing` set the state to enforcing
505 |
506 |
507 |
508 | * On systems running SELinux, all processes and files are labeled in a way that represents security-relevant information. This information is called the *SELinux context.*
509 | * Normally SELinux context is showed with `-Z` option
510 | * `ls -lZ` show SELinux context of file
511 | * `ps auxZ` show SELinux context of processes
512 | * A SELinux context has the form *user:role:type*
513 | * type indicate the type of object
514 | * unconfined_t are object not limited by SELinux
515 |
516 |
517 |
518 | * References
519 | * [https://en.wikipedia.org/wiki/Mandatory_access_control](https://en.wikipedia.org/wiki/Mandatory_access_control)
520 |
521 | ## Manage Software
522 |
523 | yum
524 |
525 | * packet manager that use RPM packet manager
526 |
527 | * `yum search keyword`
528 |
529 | This is used to find packages when you know something about the package but aren't sure of it's name. By default search will try searching just package names and summaries, but if that "fails" it will then try descriptions and url.
530 |
531 | * *Repository*: collections of software packages used by yum. They are configured in `/etc/yum.repos.d`
532 | * `yum info package` Information on package
533 |
534 | * If package is installed Repo will be equal to "installed"
535 | * `yum install package` Install package
536 | * `yum provides */file` Search package that contain file
537 | * `yum remove package`Remove package
538 | * `yum autoremove package`Remove package plus unused dependencies
539 | * `yumdownloader package` download the RPM package
540 |
541 | * **NOTE**: require `yum -y install yum-utils`
542 |
543 |
544 |
545 | RPM
546 |
547 | * `rpm -i file.rpm` Install file.rpm
548 | * `rpm -U file.rpm` Upgrade file.rpm
549 | * `rpm -qa` List all installed RPM
550 | * `rpm -qf file` Tells to what RPM package file belong
551 |
552 | ## Identify the component of a Linux distribution that a file belongs t`o`
553 |
554 | * `yum provides */file` Search package that contain file
555 |
556 |
557 |
558 | * `ldd path/command` Show all libraries used by command
559 | * This info is contained in a library cache
560 | * The library cache can be re-build using `ldconfing`
561 | * The library cache is in /etc/ld.so.cache
562 | * The info for cache are in /etc/ld.so.cache.d/
563 | * The cache is normally re-build each time a new package is installed
564 |
565 |
--------------------------------------------------------------------------------
/EssentialCommands.md:
--------------------------------------------------------------------------------
1 | # Essential Commands
2 |
3 | ## Log into local & remote graphical and text mode consoles
4 |
5 | Basic concept to know:
6 |
7 | * **Text Terminal**: text input/output environment.
8 | * Originally, they meant a piece of equipment through which you could interact with a computer: in the early days of Unix, that meant a teleprinter-style device resembling a typewriter, sometimes called a teletypewriter, or “tty” in shorthand
9 | * Tty were used to establish a connection to a mainframe computer and share operating system provided by it
10 | * A typical text terminal produces input and displays output and errors
11 | * **Console**: terminal in modern computers that don't use mainframe but have an own operating system. It is generally a terminal in the physical sense that is, by some definition, the primary terminal directly connected to a machine.
12 | * The console appears to the operating system "like" a remote terminal
13 | * In Linux and FreeBSD, the console, in realty, appears as several terminals (*ttys*) called *Virtual Consoles*
14 | * **Virtual Consoles**: to provide several text terminals on a single computer
15 | * Multiple virtual consoles can be accessed simultaneously
16 | * **Shell**: command line interface or CLI
17 | * It is the primary interface that users see when they log in, whose primary purpose is to start other programs
18 | * It is presented inside console
19 | * There are many different Linux shells
20 | * Command-line shells include flow control constructs to combine commands. In addition to typing commands at an interactive prompt, users can write shell scripts
21 |
22 | To summarize: A virtual console is a shell prompted in a non-graphical environment, accessed from the physical machine, not remotely.
23 |
24 | * **Pseudo-terminal**: Terminal provided by programs called terminal emulators e.g. `ssh`, `tmux`
25 |
26 | * **X Windows System**: is a windowing system for bitmap displays
27 | * X provides the basic framework for a graphical user interface (GUI) environment: drawing and moving windows on the display device and interacting with a mouse and keyboard
28 | * X does not mandate the user interface – this is handled by individual programs, like KDE or GNOME
29 | * It is considered "*graphical terminal*"
30 | * When is executed it will substitute one of the text terminal provided by virtual console. In CentOS the terminal will be 1, in other system could be 7.
31 | * Some applications running inside X Windows System provide pseudo-terminal e.g. Konsole, Gnome Terminal
32 | * If graphical environment is not started, you can run command `startx` to execute it
33 |
34 |
35 |
36 | Log in:
37 |
38 | * To log into local environment you must provide, when prompted, *userID* and *password* for both graphical and text mode
39 | * To login into a remote text environment you can use command `ssh`
40 | * To login into a remote graphical environment you can use command `ssh -X`
41 |
42 | Once logged command `w` can be used to show who is logged and what they are doing:
43 |
44 | ~~~bash
45 | [root@localhost ~]# w
46 | 23:41:16 up 2 min, 2 users, load average: 0.02, 0.02, 0.01
47 | USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
48 | root tty1 23:40 60.00s 0.01s 0.01s -bash
49 | root pts/0 192.168.0.34 23:41 1.00s 0.02s 0.00s w
50 | ~~~
51 |
52 | First column shows which user is logged into system and the second one to which terminal.
53 |
54 | * For Virtual Console in terminal is showed tty1, tty2 etc.
55 |
56 | * For ssh remote sessions (pseudo-terminal) in terminal is showed pts/0, pts/1 etc.
57 | * :0 is for X11server namely used for graphical login
58 |
59 |
60 |
61 | References:
62 | * [https://askubuntu.com/questions/506510/what-is-the-difference-between-terminal-console-shell-and-command-line](https://askubuntu.com/questions/506510/what-is-the-difference-between-terminal-console-shell-and-command-line)
63 | * [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/installation_guide/sn-guimode-virtual-consoles-ppc](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/installation_guide/sn-guimode-virtual-consoles-ppc)
64 | * [https://www.computernetworkingnotes.com/rhce-study-guide/linux-virtual-console-explained-with-terminal-and-shell.html](https://www.computernetworkingnotes.com/rhce-study-guide/linux-virtual-console-explained-with-terminal-and-shell.html)
65 | * [https://fossbytes.com/difference-between-shell-console-terminal/](https://fossbytes.com/difference-between-shell-console-terminal/)
66 | * [https://en.wikipedia.org/wiki/Computer_terminal#Text_terminals](https://en.wikipedia.org/wiki/Computer_terminal#Text_terminals)
67 | * [https://en.wikipedia.org/wiki/System_console](https://en.wikipedia.org/wiki/System_console)
68 | * [https://unix.stackexchange.com/questions/60641/linux-difference-between-dev-console-dev-tty-and-dev-tty0](https://unix.stackexchange.com/questions/60641/linux-difference-between-dev-console-dev-tty-and-dev-tty0)
69 |
70 | ## Search for files
71 |
72 | * `find` is recursive without parameters
73 |
74 | * Base syntax: find PATH PARAMETERS
75 |
76 | * `find /etc -name "\*host*"`
77 |
78 | Search in /etc all file/directories with host in their name. \* is a wildcard
79 |
80 | * `find . -perm 777 -exec rm -f '{}' \;`
81 |
82 | Search from current position all files/directories with permissions 777 and after remove them
83 |
84 | `-exec` uses the result of find to do something
85 |
86 | `{}` will be substitute with result of find
87 |
88 | The exec's command must be contained between `-exec` and `\;`.
89 |
90 | ; is treated as end of command character in bash shell. For this I must escape it with \\. If escaped it will be interpreted by find and not by bash shell.
91 |
92 | * Some parameter accepts value n with + or - in front. The meaning is:
93 |
94 | * +n - for greater than n
95 | * -n - for less than n
96 | * n - for exactly n
97 |
98 | * `find /etc -size -100k`
99 |
100 | Search in /etc all files/directories with size less of 100 kilobytes
101 |
102 | * `find . -maxdepth 3 -type f -size +2M`
103 |
104 | Search starting from current position, descending maximum three directories levels, files with size major of 2 megabyte
105 |
106 | * `find . \( -name name1 -o -name name2 \)`
107 |
108 | * `-o` or, it is used to combine two conditions. \ is escape to avoid that ( or ) will be interpreted by bash shell
109 |
110 | * `find . -samefile file`
111 |
112 | * Find all files that have same i-node of file
113 |
114 | * `find . \! -user owner`
115 |
116 | * It will show all files that aren't owned by user owner. `!` means negation, but must be escaped by \ to not be interpreted by bash shell
117 |
118 | * `find . -iname name`
119 |
120 | * Search name ignoring case
121 |
122 | * `find . -perm 222`
123 |
124 | * Find all files with permissions equal to 222. E.g. only file with permissions 222 will be showed
125 |
126 | * `find . -perm -222`
127 |
128 | * Find all files with at least permissions 222. E.g. 777 match as valid.
129 |
130 | * `find . -perm /222`
131 |
132 | * Find all files with write for owner or write for group or write for others (at least one)
133 |
134 | * `find . -perm -g=w`
135 |
136 | * Find all files with at least permission write for group
137 |
138 | * `find . -atime +1`
139 |
140 | * Show all files accessed at least two days ago (more than 24 hours)
141 |
142 | ## Evaluate and compare the basic file system features and options
143 |
144 | References:
145 |
146 | * [https://www.pks.mpg.de/~mueller/docs/suse10.2/html/opensuse-manual_en/manual/sec.new.fs.html](https://www.pks.mpg.de/~mueller/docs/suse10.2/html/opensuse-manual_en/manual/sec.new.fs.html)
147 |
148 | ## Compare and manipulate file content
149 |
150 | * `diff file1 file2`
151 |
152 | Compare file1 and file 2
153 |
154 | * `diff -y file1 file2`
155 |
156 | Compare file1 and file 2 with output in two columns
157 |
158 |
159 |
160 | * `vi file`
161 |
162 | It is used to manipulate a file
163 |
164 | Inside vi:
165 |
166 | * i - switch between *command mode* to *insert mode*
167 | * Esc - switch between *insert* to *command mode*
168 |
169 |
170 |
171 | In command mode:
172 |
173 | * o - open a new line and enter in insert mode
174 |
175 | * O - open a new line above current position and enter in insert mode
176 |
177 | * :wq - write and quit
178 |
179 | * :q! - quit without save
180 |
181 | * :w! - force write
182 |
183 | * u - undo
184 |
185 | * ctrl + r - redo
186 |
187 | * gg - go to file begin
188 |
189 | * G - go to last line
190 |
191 | * Search
192 |
193 | * :/texttosearch
194 | * n - next occurence
195 | * N - previous occurence
196 | * :300 - go to line 300
197 |
198 | * dd - delete current line
199 |
200 | * x - delete current character
201 |
202 | * d$ - delete from current point to end of line
203 |
204 | * Replace:
205 |
206 | * :%s/one/ONE/g - replace all occurrences of one with ONE
207 |
208 | :%s/one/ONE - replace first occurrences of one with INE
209 |
210 | * Cut and paste:
211 |
212 | * v - select text
213 | * y - copy text selected text
214 | * p - paste copied text
215 | * d - delete selected text
216 |
217 | In insert mode:
218 |
219 | * It's possible to insert text
220 |
221 |
222 |
223 | * `uniq file`Remove equal consecutive rows
224 |
225 | * `uniq -w 2 file`
226 |
227 | Remove equal consecutive rows comparing only first two characters
228 |
229 | * `uniq -c file`
230 |
231 | Remove equal consecutive rows and show number of occurrences
232 |
233 | * `sort file` order file content
234 |
235 | * `sort -k 2 file`
236 |
237 | Order file content using as reference second word
238 |
239 | * cut -d delimiter -f column
240 |
241 | * `cut -d ' ' -f 1 file`
242 |
243 | Print first word of each line. Delimiter will be space
244 |
245 | * `cut -d ' ' -f 1,3 file`
246 |
247 | Print first and third word of each line. Delimiter will be space
248 |
249 | * `cat file`Print file content
250 | * `tail file` Print last 10 file lines
251 | * `tail -n 5` file Print last 5 file lines
252 | * `tail -f file` Print last 10 file lines and append. Useful to monitor log files
253 | * `head file` Print first 10 file lines
254 | * `head -n 2 file` Print first 2 file lines
255 |
256 |
257 |
258 | * `tr SET1 SET2` translate set of characters one to set of characters 2
259 |
260 | * `cat file | tr test sub`
261 |
262 | It will replace all occurrences of test with sub
263 |
264 | * `cat file | tr -s ' '`
265 |
266 | It will replace all consecutive occurrences of space with one space
267 |
268 |
269 |
270 | * `file namefile` print the type of namefile
271 |
272 |
273 | ## Use input-output redirection (e.g. >, >>, |, 2>)
274 |
275 | All Unix-based operating systems provide at least three different input and output channels - called *stdin*, *stdout* and *stderr* respectively - that allow communication between a program and the environment in which it is run.
276 |
277 | In Bash each of these channels is numbered from 0 to 2, and takes the name of *file descriptor*, because it refers to a particular file: as it happens with any other file stored in the system, you can manipulate it, copy it, read it or write it on its.
278 |
279 | When a Bash environment is started, all three default descriptor files point to the terminal where the session was initialized: the input (stdin - 0) corresponds to what is typed in the terminal, and both outputs - stdout ( 1) for traditional messages and stderr (2) for error messages - they are sent to the terminal. In fact, an open terminal in a Unix-based operating system is usually itself a file, commonly stored in /dev/tty0; when a new session is opened in parallel with an existing one, the new terminal will be /dev/tty1 and so on. Therefore, initially the three file descriptor all point to the file representing the terminal in which they are executed.
280 |
281 | There are operator to redirect input, ouput and error.
282 |
283 | * < - redirect stdin
284 |
285 | * `wc < file`
286 |
287 | Execute wc using the content of file as input
288 |
289 | * \> and >> - redirect stdout
290 |
291 | * `echo test > file1`
292 |
293 | Write test in a file1. The content of file1 will be replaced
294 |
295 | * `echo test >> file1`
296 |
297 | Append test in file1
298 |
299 | * 2> - redirect stderr
300 |
301 | * `find /proc -name "cpu*" 2> /dev/null`
302 |
303 | Find in /proc file/directory that begin with cpu and redirect all errors, like 'Permission Denied' to special file /dev/null (virtual file that discard all data)
304 |
305 | * | - the stdout is transformed in stdin
306 |
307 | * `cat file | wc`
308 |
309 | Use the output of 'cat file' as input of wc
310 |
311 | * 2>&1 - redirect stderr to same place of stdout
312 |
313 | * All redirections can be combined
314 |
315 | * `find /etc -name '\*a\*' 2> /dev/null | less`
316 |
317 | References:
318 |
319 | * [https://www.html.it/pag/53628/redirezione-dellio/](https://www.html.it/pag/53628/redirezione-dellio/)
320 |
321 | ## Analyze text using basic regular expressions
322 |
323 | * File Globbing in Linux
324 |
325 | File globbing is a feature provided by the UNIX/Linux shell to represent multiple
326 | filenames by using special characters called wildcards with a single file name.
327 | A wildcard is essentially a symbol which may be used to substitute for one or
328 | more characters. Therefore, we can use wildcards for generating the appropriate
329 | combination of file names as per our requirement.
330 |
331 | * \* - Every character
332 |
333 | `ls -l a*`
334 |
335 | List all file/directories that begin with a
336 |
337 | * ? - Every single character
338 |
339 | `ls -l a?`
340 |
341 | List all file/directories formed by two character that begin with a
342 |
343 | * [ab] - list of characters
344 |
345 | `ls -l a[ab]`
346 |
347 | List file/directories called aa or ab
348 |
349 | * [a-c]
350 |
351 | `ls -l a[a-c]`
352 |
353 | List file/directories called aa, ab and ac
354 |
355 | * Wildcards can be combined
356 |
357 | `ls -l a[a-c]*`
358 |
359 | List all file/directories that begins aa, ab and ac
360 |
361 |
362 |
363 | * grep pattern path/*
364 |
365 | Search pattern inside the strings of the files in path/*. Show file name and row matching pattern
366 |
367 | It is no recursive and key sensitive. To have recursion -r must be added
368 |
369 | Pattern can be a regular expression. The regular expression must be surrounded by ' ' otherwise content could match bash globing.
370 |
371 | * `grep -l patter path/*`
372 |
373 | Search pattern inside file in path/*. Show only file name
374 |
375 | * `grep -lr patter path/*`
376 |
377 | Search pattern inside file in path/* and path subdirectories. Show only file name
378 |
379 | * `grep -ilr patter path/*`
380 |
381 | Search pattern ignoring case inside file in path/* and path subdirectories. Show only file name
382 |
383 |
384 |
385 | Regular Expressions
386 |
387 | | Character | Definition | Example | Result |
388 | | :-------: | :--------------------------------------: | :--------: | :-------------------: |
389 | | ^ | Start of a string | ^abc | abc, abcd, abc1 |
390 | | $ | End of a string | abc$ | abc, rasabc, 2aabc |
391 | | . | Any character except newline | a.c | abc, acc, a1c |
392 | | | | Alteration | a |
393 | | {...} | Explicit quantity of preceding character | ab{2}c | abbc |
394 | | [...] | Explicit set of characters to match | a[bB]c | abc,aBc |
395 | | [a-z0-9] | One lower case characters or number | a[a-z0-9]c | aac,a1c |
396 | | (...) | Group of characters | (abc){2} | abcabc |
397 | | * | Null or more of the preceding characters | a*bc | bc, abc, aabc, aaaabc |
398 | | + | One or more of the preceding character | a+bc | abc, aabc |
399 | | ? | Null or one of the preceding character | a?bc | bc, abc |
400 | | ^$ | Empty string | | |
401 |
402 | * Not all regular expressions are supported by `grep`. As alternative can be used `egrep`
403 |
404 |
405 |
406 | * sed - Without -i the results of file alteration won't be permanent
407 |
408 | * `sed 's/source/target/' file`
409 |
410 | In any row of file, it will change first occurrence of source to target. Print all rows
411 |
412 | * `sed 's/source/target/g' file`
413 |
414 | In any row of file, it will change all occurrences of source to target. Print all rows
415 |
416 | * `sed 's/source/target/gI'`
417 |
418 | In any row of file, it will change all occurrences of source to target. Ignore case = case insensitive. Print all rows
419 |
420 | * `sed '10s/source/target/' file`
421 |
422 | For row 10, it will change first occurrence of source to target. Print all rows
423 |
424 | * `sed -n 's/source/target/p'`
425 |
426 | In any row of file, it will change first occurrence of source to target. Print only changed rows
427 |
428 | * `sed -n '/source/p' file`
429 |
430 | It will print only rows that contain source
431 |
432 | It is equal to grep source file
433 |
434 | * `sed -n 2,4p file`
435 |
436 | It prints rows from 2 to 4
437 |
438 | * `sed '/source/d' file`
439 |
440 | Delete rows with source
441 |
442 | * `sed -n 12d file`
443 |
444 | Delete row 12
445 |
446 | * `sed '11inewline' file`
447 |
448 | It will insert newline as line 11
449 |
450 | * `sed -i 's/source/target/g' file`
451 |
452 | In any row of file, it will change all occurrences of source to target. Save result to file
453 |
454 | * `sed -i.orign 's/source/target/g' file`
455 |
456 | In any row of file, it will change all occurrences of source to target. Save result to file but keep an copy of original file with name file.orign
457 |
458 |
459 |
460 | References:
461 |
462 | * [https://www.linuxnix.com/10-file-globbing-examples-linux-unix/](https://www.linuxnix.com/10-file-globbing-examples-linux-unix/)
463 |
464 | ## Archive, backup, compress, unpack, and uncompress files
465 |
466 | * `tar` Save many files into a single file
467 |
468 | File permissions are maintained by default only for file users. For other user I must explicit say to maintain permission during decompression using `-p` parameter
469 |
470 | * `tar jcfv file.tar.bz2 *`
471 |
472 | Save all files of current directory in new bzip2 compressed file called file.tar.bz2
473 |
474 | * `tar jxfv file.tar.bz2`
475 |
476 | Extract content of file.tar.bz2
477 |
478 | * `tar tf file.tar`
479 |
480 | Show content of file.tar. **Note**: the file.tar isn't compressed
481 |
482 | * `tar --delete -f test.tar file`
483 |
484 | Delete file from test.tar. **Note**: the test.tar isn't compressed
485 |
486 | * `tar --update -f test.tar file`
487 |
488 | Update file in test.tar. **Note**: the test.tar isn't compressed
489 |
490 | * `tar X<(command that generate list) -c -f file.tar *`
491 |
492 | `tar X<(ls | file -f - | grep -i MPEG | cut -d: -f 1) -c -f file.tar *`
493 |
494 | Exclude file MPEG from content of file.tar
495 |
496 |
497 |
498 | * Backup a device
499 |
500 | Device must be unmounted
501 |
502 | `dd if=/dev/sda of=/system_images/sda.img`
503 |
504 | * Restore device
505 |
506 | `dd if=/system_images/sda.img of=/dev/sda`
507 |
508 |
509 |
510 | * `rsync` it is used to keep synchronized the content of two directories
511 |
512 | * `yum -y install rsync` Install rsync command
513 |
514 | * `rsync -av source dest`
515 |
516 | Synchronize source with dest. `-a` archive, provide a series of default option
517 |
518 | * `rsync -avz /tmp user@123.123.123.123:/dest`
519 |
520 | Synchronize tmp with dest that it's contained in a remote machine with IP 123.123.123.123.
521 |
522 | `-z` means that content will be compressed during transfer
523 |
524 | * `rsync -avzhe ssh source root@remote_host:/remote_directory/`
525 |
526 | Synchronize source with remote_directory using ssh
527 |
528 | ## Create, delete, copy, and move files and directories
529 |
530 | You must be able to check results of activities.
531 |
532 | * `ls` list directory content
533 |
534 | * `ls -l` long output. It will print more columns
535 |
536 | File Type+Permissions - Number of links - Owner - Group - Dimension - Creation date - Creation hour - Name
537 |
538 | First letter of first column indicate file type:
539 |
540 | * `-` : file
541 | * `d`: directory
542 | * `l`: link
543 |
544 | * `ls -la` long output plus hidden files
545 |
546 | * `ls -lR` long output recursive (show subdirectories content)
547 |
548 | * `ls -lt` long output sorted by modification time
549 |
550 | * `ls -ld /etc` show the directory properties and not its content
551 |
552 |
553 |
554 | * `du file` show disk usage
555 | * `du directory` show space used by directory and each subdirectory. It is recursive
556 | * `du -s directory` summarize space used by directory and subdirectory
557 | * `du *` show space of each file in current directory
558 | * `pwd` print current directory
559 |
560 |
561 |
562 | - `touch file`
563 |
564 | It creates an empty file
565 |
566 |
567 | * `cp source destination` copy source file to destination
568 |
569 | * `cp file1 file2 ./dest`
570 |
571 | Copy file2 and file2 to directory dest
572 |
573 | * `cp * ./dest`
574 |
575 | Copy all file of current directory to directory dest
576 |
577 | * `cp -r dir1 dir2`
578 |
579 | Copy dir1 in dir2. `-r` recursive
580 |
581 | * `mkdir dir` create directory dir
582 |
583 | * `mkdir -p dir/dir2`
584 |
585 | Create a directory dir with a subdirecotory dir2
586 |
587 | * `rmdir dir` remove dir. Note: dir must be empty
588 | * `tree` show directories tree
589 | * `yum -y install tree` to install tree
590 |
591 | * `mv file file2` rename file in file2
592 | * `mv file dir` move file in directory dir
593 | * `mv dir ..` move directory dir at the upper directory level
594 | * `rm file` delete file
595 | * `rm -f file` remove read-only file
596 | * `rm -r dir` remove directory dir and all subdirectories and files
597 |
598 | ## Create and manage hard and soft links
599 |
600 | 
601 |
602 | The i-node (index node) is a data structure in a Unix-style file system that describes a file-system object such as a file or a directory. Each i-node stores the attributes and disk block location(s) of the object's data.
603 |
604 | File-system object attributes may include metadata (times of last change, access, modification), as well as owner and permission data.
605 |
606 | Directories are lists of names assigned to i-nodes. A directory contains an entry for itself, its parent, and each of its children.
607 |
608 | Each i-nodes is identified by a unique i-node numbers
609 |
610 | *To summarize*: directory contains filenames, that is associated to i-node, that contains reference to data block.
611 |
612 | *Hard link*
613 |
614 | * The filenames is an hard link.
615 |
616 | * I can have two filenames that point to same i-node.
617 |
618 | * Hardlink limits:
619 | * Must point to same device
620 | * Hardlinks pointing a directory cannot be created
621 |
622 | *Symbolic link*
623 |
624 | * It's a pointer to a filename
625 | * This means that there will by this chain: link -> filename -> i-node
626 | * If filename will be removed, link will become invalid
627 |
628 | * Note: permissions on a link are "open", because real permission are associate to i-node
629 |
630 |
631 |
632 | * `ls -li` in first column show the i-node number
633 | * `ln target newname` It will create and hard link to the same i-node of target with name (filename) newname
634 | * `ln -s target newlink` It will create a symbolic link to target called newlink
635 | * `ln -s /var .` It will create a symbolic link to var in current directory. The name of link will be var
636 |
637 | **Note**: A file is considered deleted when they don't exist anymore hard link to same i-node. This means that `rm` remove link, hard or symbolic.
638 |
639 |
640 |
641 | References:
642 |
643 | * [https://en.wikipedia.org/wiki/Inode](https://en.wikipedia.org/wiki/Inode)
644 |
645 | * [http://www.farhadsaberi.com/linux_freebsd/2010/12/files-directory-security-setuid-sticky-bit-permissions.html](http://www.farhadsaberi.com/linux_freebsd/2010/12/files-directory-security-setuid-sticky-bit-permissions.html)
646 |
647 | * [http://www.compsci.hunter.cuny.edu/~sweiss/course_materials/unix_lecture_notes/chapter_03.pdf](http://www.compsci.hunter.cuny.edu/~sweiss/course_materials/unix_lecture_notes/chapter_03.pdf)
648 |
649 | ## List, set, and change standard file permissions
650 |
651 | To see user, group and permission use `ls -l`. Permissions are in the first column, name in third and group in fourth.
652 |
653 | Each file/directory will have an *owner* and will be associated to a *group*.
654 |
655 |
656 |
657 | The permissions for each file/directory are given for each of this category:
658 |
659 | * Owner
660 | * Group
661 | * Others
662 |
663 | Others are all other users that are not the owner and are not member of group.
664 |
665 | **NOTE**: The order matters.
666 |
667 |
668 |
669 | For each category can be set below permissions
670 |
671 | * Read
672 | * Octal value: 4
673 | * Write
674 | * Octal value: 2
675 | * Exec (Execution)
676 | * Octal value: 1
677 |
678 | The right that each permission provide are different and depends if target is a file or a directory:
679 |
680 | | | File | Directory |
681 | | :-------: | :----------: | :-----------: |
682 | | Read (4) | Read or Exec | List (ls) |
683 | | Write (2) | Modify | Create Delete |
684 | | Exec (1) | Run | cd |
685 |
686 | **Note**: When exec is set for group of other, file will be executed with identity of the user that are executing command (user ID) and group of user (group ID)
687 |
688 |
689 |
690 | Absolute mode:
691 |
692 | * Use numbers for each permission, that must be added if more that a permission
693 |
694 | * `chmod 760 file` Change file permission
695 | * Owner: grant read, write and exec
696 | * Group: grant read, write
697 | * Others: no permission
698 |
699 |
700 |
701 | Relative mode:
702 |
703 | * `chmod +x file` Add exec to owner, group and other
704 | * `chmod g+w file` Add write to group
705 | * `chmod o-rw file` Remove read and write to others
706 |
707 |
708 |
709 | **Advanced permissions**
710 |
711 | There are other special permissions that can be granted to file/dirctories
712 |
713 | | | File | Directory |
714 | | :------------: | :------------------: | :---------------------------------------------------------: |
715 | | suid (4) | Run as owner of file | N/A |
716 | | sgid (2) | Run as group owner | Inherit directory group when a file is created |
717 | | sticky bit (1) | N/A | A file can be deleted only by owner or by directory's owner |
718 |
719 | * Suid: When a file with setuid is executed, the resulting process will assume the effective user ID given to the owner class. This enables users to be treated temporarily as root (or another user). E.g `passwd` has suid setted
720 | * Sgid: When a file with *setgid* is executed, the resulting process will assume the group ID given to the group class
721 | * Sticky bit is applied to /tmp
722 |
723 | * Suid cannot be applied to Bash scripts
724 |
725 |
726 |
727 | Absolute mode:
728 |
729 | * `chmod 4760 file` Change file permission
730 | - Add suid
731 | - Owner: grant read, write and exec
732 | - Group: grant read, write
733 | - Others: no permission
734 |
735 |
736 |
737 | Relative mode:
738 |
739 | * `chmod u+s file` set suid
740 | * `chmod g+s file` set guid
741 | * `chmod +t dir` set sticky bit
742 |
743 |
744 |
745 | References:
746 |
747 | * [https://en.wikipedia.org/wiki/File_system_permissions#Changing_permission_behavior_with_setuid,_setgid,_and_sticky_bits](https://en.wikipedia.org/wiki/File_system_permissions#Changing_permission_behavior_with_setuid,_setgid,_and_sticky_bits)
748 |
749 | ## Read, and use system documentation
750 |
751 | * `commad --help`
752 | * Show help of a command
753 |
754 |
755 |
756 | * `man command`
757 |
758 | * Show command manual
759 |
760 | * `man -k keyword`
761 |
762 | Search a manual for provided keywork
763 |
764 | * `sudo mandb`Create database used by `man -k` command
765 |
766 |
767 |
768 | * `/usr/share/doc`
769 | * It contains configuration files examples
770 |
771 |
772 |
773 | * `info command`
774 | * It shows info document
775 |
776 |
777 |
778 | * bash completion
779 | * During the digitalization of a command can be used the pressed two time Tab key to show possible value or parameter
780 | * `yum -y install bash-completion` must be installed
781 |
782 | ## Manage access to the root account
783 |
784 | * ` root` is the system administrator
785 |
786 | * When logged as root, shell prompts `#` character. Otherwise `$`
787 |
788 |
789 |
790 | * `su` Used to become root. It will continue to use the current session with user and group id substituted
791 | * It will ask root password
792 | * `su -` Used to become root. It is same as logging into a fresh session on a terminal
793 | * It will ask root password
794 | * `su - user` Login as user.
795 | * It will be required user password
796 | * If command is executed by root, password won't be required
797 |
798 |
799 |
800 | * `sudo` command to allow an ordinary user to execute commands as a different user
801 | (usually the superuser)
802 |
803 | * In default configuration, group `wheel` is authorized to act as root. If a user is member of `wheel` can execute all command as root with this syntax:
804 | * `sudo command`
805 | * **NOTE**: user password must be provided
806 | * To add user to wheel execute:
807 | * `usermod -aG wheel username`
808 |
809 |
810 |
811 | * `visudo` Modify the sudo configuration
812 |
813 | * Basic configuration:
814 | * ***demo*** ALL=(ALL:ALL) ALL
815 | The first field indicates the username that the rule will apply to.
816 |
817 | - demo ***ALL***=(ALL:ALL) ALL
818 | The first "ALL" indicates that this rule applies to all hosts.
819 | - demo ALL=(***ALL***:ALL) ALL
820 | This "ALL" indicates that user demo can run commands as all users.
821 | - demo ALL=(ALL:***ALL***) ALL
822 | This "ALL" indicates that user demo can run commands as all groups.
823 | - demo ALL=(ALL:ALL) ***ALL***
824 | The last "ALL" indicates these rules apply to all commands.
825 |
826 | Whit this row inserted in sudo configuration, demo user can execute this command:
827 |
828 | `sudo -u user command`
829 |
830 | This means that it will execute command with the identity of user.
831 |
832 | If `-u` is not specified, this means that command will be executed as root.
833 |
834 | demo user can open a root session running:
835 |
836 | `sudo su -`
837 |
838 | The powerfulness of this command is that a root session can be opened only providing user password (in this case the password of user demo).
839 |
840 | This means that root direct login (with user and password) could be disabled and root session will be opened using only `sudo`. Some Linux distribution use this method as default configuration (e.g Ubuntu).
841 |
842 | The advance is that root password is not shared if I need to add a new system administrator.
843 |
844 | * In sudo configuration `%` indicate group
845 |
846 | * %users localhost=/sbin/shutdown -h now
847 |
848 | The users in group users can execute command /sbin/shutdown -h now on localhost as root
849 |
850 | * To simplify configuration in sudo configuration can be used alias
851 |
852 | * Cmnd_Alias SOFTWARE = /bin/rpm,/usr/bin/up2date, /usr/bin/yum
853 |
854 | SOFTWARE can be used in sudo configuration rows
855 |
--------------------------------------------------------------------------------